CVE-2022-23881
Published: 23 March 2022
Summary
CVE-2022-23881 is a critical-severity an unspecified weakness vulnerability in Zzzcms Zzzphp. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
ZZZCMS zzzphp version 2.1.0 contains a remote command execution vulnerability in the danger_key function located in zzz_template.php. The flaw received a CVSS 3.1 base score of 9.8, reflecting network attack vector, low attack complexity, and no required privileges or user interaction, resulting in complete compromise of confidentiality, integrity, and availability.
An unauthenticated attacker can send crafted input over the network to trigger arbitrary command execution on the affected system. Public proof-of-concept material demonstrates the issue and confirms that successful exploitation yields full control of the application and underlying host.
The two reference URLs consist of technical write-ups and reproduction steps hosted on GitHub; they contain no vendor advisory, patch information, or mitigation guidance. The associated EPSS score has remained at 0.8666 since disclosure with no material upward trajectory observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-28806
Vulnerability details
ZZZCMS zzzphp v2.1.0 was discovered to contain a remote command execution (RCE) vulnerability via danger_key() at zzz_template.php.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.