Cyber Resilience

CVE-2022-2334

High

Published: 17 August 2022

Published
17 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6241 98.4th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2334 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Softing Edgeaggregator. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-2334 is an uncontrolled search path element vulnerability (CWE-427) in Softing Secure Integration Server version 1.22. The application attempts to load a library DLL that cannot be found in its expected location, allowing a malicious DLL of the same name to be supplied instead.

An attacker with the ability to place a file in the DLL search path can exploit the flaw remotely over the network. With low attack complexity and high privileges required, successful exploitation yields arbitrary code execution that impacts confidentiality, integrity, and availability on the targeted server.

The referenced Softing security notice and CISA advisory ICSA-22-228-04 address the issue and outline mitigation steps for affected deployments. The associated EPSS score stands at 0.6241 with no material change from its recorded peak.

EU & UK References

Vulnerability details

The application searches for a library dll that is not found. If an attacker can place a dll with this name, then the attacker can leverage it to execute arbitrary code on the targeted Softing Secure Integration Server V1.22.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

softing
edgeaggregator
3.1
softing
edgeconnector
3.1
softing
opc
5.2
softing
opc ua c\+\+ software development kit
6
softing
secure integration server
1.22
softing
uagates
1.74

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References