Cyber Resilience

CVE-2022-1070

High

Published: 21 October 2022

Published
21 October 2022
Modified
17 April 2025
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0046 64.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1070 is a high-severity Missing Authorization (CWE-862) vulnerability in Aethon Tug Home Base Server. Its CVSS base score is 8.2 (High).

Operationally, ranked in the top 35.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

aethon
tug home base server
≤ 24

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.

Inventory identifies all systems holding or processing data, enabling detection of unauthorized exposure paths before exploitation.

Requires authentication gates on critical functions that must remain unavailable to anonymous public users.

Treats remote activation of surveillance-capable devices as a critical function that must be disabled or authenticated.

Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.

addresses: CWE-306 CWE-862

Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.

addresses: CWE-862 CWE-200

Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.

addresses: CWE-306 CWE-862

Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.

References