CVE-2022-24506
Published: 09 March 2022
Summary
CVE-2022-24506 is a medium-severity an unspecified weakness vulnerability in Microsoft Azure Site Recovery. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-24506 is an elevation of privilege vulnerability in Azure Site Recovery. It is rated 6.5 under CVSS 3.1 with a vector of AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H, allowing a network-accessible attack that needs high privileges but can produce high confidentiality and availability impact.
An authenticated attacker possessing high privileges can exploit the flaw over the network to obtain elevated rights, enabling unauthorized access to sensitive data and disruption of availability while integrity remains unaffected and no user interaction is required.
Microsoft has published official guidance for the vulnerability in its security update guide at the listed references; practitioners should review those entries for available patches and recommended mitigations.
The associated EPSS score has remained flat at a peak and current value of 0.0989, showing no material post-disclosure rise in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29387
Vulnerability details
Azure Site Recovery Elevation of Privilege Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.