Cyber Resilience

CVE-2022-24405

CriticalPublic PoCRCE

Published: 27 July 2022

Published
27 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0800 92.3th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24405 is a critical-severity OS Command Injection (CWE-78) vulnerability in Open-Xchange Ox App Suite. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 7.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

OX App Suite through version 7.10.6 contains an OS command injection vulnerability, CVE-2022-24405, that affects the Documentconverter API. The issue arises when the API processes a serialized Java class, enabling execution of arbitrary operating system commands and corresponding to CWE-78. The flaw received a CVSS 3.1 base score of 9.8.

An unauthenticated remote attacker can supply a crafted serialized object directly to the exposed API endpoint and obtain arbitrary command execution, resulting in full control over confidentiality, integrity, and availability on the affected system.

The associated EPSS score has remained flat at 0.08 with no material rise after disclosure. Public references point to open-xchange.com and the July 2022 Full Disclosure mailing list archive for further details.

EU & UK References

Vulnerability details

OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

open-xchange
ox app suite
≤ 7.10.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References