Cyber Resilience

CVE-2022-23050

HighPublic PoC

Published: 24 May 2022

Published
24 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2737 96.5th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23050 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Zohocorp Manageengine Applications Manager. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

ManageEngine AppManager15 (Build No:15510) contains a DLL hijacking vulnerability tracked as CVE-2022-23050 and assigned CWE-427. An authenticated administrator can use the product's "Upload Files / Binaries" feature to place an arbitrary DLL inside the application's "working" folder, after which the process loads the attacker-controlled library because of an uncontrolled search path element.

An attacker who already possesses administrative credentials can therefore upload a malicious DLL over the network and obtain arbitrary code execution with the privileges of the AppManager service, resulting in full compromise of confidentiality, integrity, and availability. The CVSS 3.1 score of 7.2 reflects the need for high privileges while confirming that no user interaction or additional attack complexity is required once those credentials are obtained.

ManageEngine published a security advisory and corresponding patch that addresses the issue for AppManager15; the Fluid Attacks advisory provides technical reproduction steps and confirms the same vector. The EPSS score has remained flat at 0.2737 with no material increase after disclosure.

EU & UK References

Vulnerability details

ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine applications manager
15.5 · 15.0 — 15.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References