Cyber Resilience

CVE-2022-20145

Critical

Published: 15 June 2022

Published
15 June 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0637 91.2th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-20145 is a critical-severity an unspecified weakness vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

In startLegacyVpnPrivileged of Vpn.java, a protocol downgrade flaw allows retrieval of VPN credentials on Android 11 devices. The issue is tracked as A-201660636 and carries a CVSS 3.1 score of 9.8, reflecting network-accessible impact without required privileges or user interaction.

An attacker positioned as a malicious Wi-Fi access point can trigger the downgrade remotely, obtain the stored VPN credentials, and thereby achieve privilege escalation on the device. No additional execution rights are needed beyond the ability to serve the crafted wireless network.

The Android security bulletin published on 2022-06-01 addresses the vulnerability and supplies the corresponding patches for affected builds. The associated EPSS score remains low, with a current value of 0.0637 and a peak of 0.0725.

EU & UK References

Vulnerability details

In startLegacyVpnPrivileged of Vpn.java, there is a possible way to retrieve VPN credentials due to a protocol downgrade attack. This could lead to remote escalation of privilege if a malicious Wi-Fi AP is used, with no additional execution privileges needed.…

more

User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-201660636

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
android
11.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References