CVE-2022-2334
Published: 17 August 2022
Summary
CVE-2022-2334 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Softing Edgeaggregator. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-2334 is an uncontrolled search path element vulnerability (CWE-427) in Softing Secure Integration Server version 1.22. The application attempts to load a library DLL that cannot be found in its expected location, allowing a malicious DLL of the same name to be supplied instead.
An attacker with the ability to place a file in the DLL search path can exploit the flaw remotely over the network. With low attack complexity and high privileges required, successful exploitation yields arbitrary code execution that impacts confidentiality, integrity, and availability on the targeted server.
The referenced Softing security notice and CISA advisory ICSA-22-228-04 address the issue and outline mitigation steps for affected deployments. The associated EPSS score stands at 0.6241 with no material change from its recorded peak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-34603
Vulnerability details
The application searches for a library dll that is not found. If an attacker can place a dll with this name, then the attacker can leverage it to execute arbitrary code on the targeted Softing Secure Integration Server V1.22.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.