Cyber Resilience

CVE-2022-1661

High

Published: 02 June 2022

Published
02 June 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0028 51.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1661 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Keysight N6854A Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 48.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-1661 is a directory traversal vulnerability, tracked under CWE-22 and CWE-23, that affects unspecified products and enables remote attackers to retrieve arbitrary operating system files. The flaw carries a CVSS 3.1 base score of 7.5, reflecting network attack vector, low attack complexity, and no required privileges or user interaction, with impacts limited to high confidentiality loss.

An unauthenticated attacker can send crafted requests over the network to traverse directories and exfiltrate sensitive files from the underlying operating system, potentially exposing configuration data, credentials, or other restricted content without any authentication.

CISA has published advisories (ICSA-22-146-01) that outline mitigation steps for the affected products. The EPSS score started low after the June 2022 disclosure, rose materially to a peak of 0.0652 on 2025-01-22, and has since receded to 0.0028, indicating a period of increased exploitation interest that later subsided.

EU & UK References

Vulnerability details

The affected products are vulnerable to directory traversal, which may allow an attacker to obtain arbitrary operating system files.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

keysight
n6854a firmware
≤ 2.4.0
keysight
n6841a rf firmware
≤ 2.4.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References