CVE-2022-1070
Published: 21 October 2022
Summary
CVE-2022-1070 is a high-severity Missing Authorization (CWE-862) vulnerability in Aethon Tug Home Base Server. Its CVSS base score is 8.2 (High).
Operationally, ranked in the top 35.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-24414
Vulnerability details
Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Inventory identifies all systems holding or processing data, enabling detection of unauthorized exposure paths before exploitation.
Requires authentication gates on critical functions that must remain unavailable to anonymous public users.
Treats remote activation of surveillance-capable devices as a critical function that must be disabled or authenticated.
Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.