CVE-2022-1661
Published: 02 June 2022
Summary
CVE-2022-1661 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Keysight N6854A Firmware. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 48.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-1661 is a directory traversal vulnerability, tracked under CWE-22 and CWE-23, that affects unspecified products and enables remote attackers to retrieve arbitrary operating system files. The flaw carries a CVSS 3.1 base score of 7.5, reflecting network attack vector, low attack complexity, and no required privileges or user interaction, with impacts limited to high confidentiality loss.
An unauthenticated attacker can send crafted requests over the network to traverse directories and exfiltrate sensitive files from the underlying operating system, potentially exposing configuration data, credentials, or other restricted content without any authentication.
CISA has published advisories (ICSA-22-146-01) that outline mitigation steps for the affected products. The EPSS score started low after the June 2022 disclosure, rose materially to a peak of 0.0652 on 2025-01-22, and has since receded to 0.0028, indicating a period of increased exploitation interest that later subsided.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-24947
Vulnerability details
The affected products are vulnerable to directory traversal, which may allow an attacker to obtain arbitrary operating system files.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.