Cyber Resilience

CVE-2022-2143

CriticalPublic PoCRCE

Published: 22 July 2022

Published
22 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5831 98.2th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2143 is a critical-severity Command Injection (CWE-77) vulnerability in Advantech Iview. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-2143 is a pair of command-injection flaws, tracked under CWE-77, that affect Advantech iView. The issues reside in the NetworkServlet component and carry a CVSS 3.1 score of 9.8, reflecting network-exploitable conditions that require no authentication or user interaction.

An unauthenticated remote attacker can supply crafted input to the servlet and execute arbitrary operating-system commands, resulting in full compromise of the confidentiality, integrity, and availability of the affected system.

Public advisories published by CISA (ICSA-22-179-03) and accompanying Packet Storm disclosures document the vulnerability and direct users to vendor patches or configuration changes that eliminate the injection vectors.

The CVE maintains an EPSS score of 0.5831 at both its current and peak values, indicating sustained exploitation interest since disclosure.

EU & UK References

Vulnerability details

The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

advantech
iview
≤ 5.7.04.6469

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References