CVE-2022-24702
Published: 02 June 2022
Summary
CVE-2022-24702 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Winaprs Winaprs. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-24702 is a buffer overflow vulnerability, tracked as CWE-120, that affects the VHF KISS TNC component in WinAPRS version 2.9.0. The flaw resides in the handling of incoming AX.25 packets and carries a CVSS 3.1 score of 9.8, reflecting network-accessible, unauthenticated remote code execution with full impact on confidentiality, integrity, and availability. The issue is present only in releases that the maintainer no longer supports.
An attacker with the ability to transmit crafted AX.25 frames over the air can trigger the overflow and obtain arbitrary code execution on a listening WinAPRS instance. No user interaction or credentials are required, and the attack surface is exposed to any station within radio range of the target.
Public references, including exploit code published by Coalfire-Research and accompanying technical write-ups, confirm the existence of working proof-of-concept implementations. Because the affected software is unsupported, no vendor patches or official mitigations have been issued; operators are effectively left with the choice of discontinuing use of the product. The associated EPSS score has remained at 0.4009 from disclosure through the present, indicating sustained but not sharply increasing exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29568
Vulnerability details
An issue was discovered in WinAPRS 2.9.0. A buffer overflow in the VHF KISS TNC component allows a remote attacker to achieve remote code execution via malicious AX.25 packets over the air. NOTE: This vulnerability only affects products that are…
more
no longer supported by the maintainer
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.