Cyber Resilience

CVE-2022-24526

Medium

Published: 09 March 2022

Published
09 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0079 74.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24526 is a medium-severity an unspecified weakness vulnerability in Microsoft Visual Studio Code. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 25.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-24526 is a spoofing vulnerability affecting Visual Studio Code, published on March 9, 2022. It carries a CVSS 3.1 base score of 6.1 with the vector string AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and is categorized under NVD-CWE-noinfo.

An unauthenticated attacker can exploit the flaw remotely over a network by leveraging user interaction to achieve limited effects on confidentiality and integrity, with the changed scope indicating potential impact beyond the vulnerable component itself.

The associated EPSS score rose materially from a low baseline to a peak of 0.0553 on 2025-01-22 before receding to the current value of 0.0079, indicating that exploitation interest emerged after disclosure. No mitigation details are provided in the available references.

EU & UK References

Vulnerability details

Visual Studio Code Spoofing Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
visual studio code
≤ 1.65.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References