Cyber Resilience

CVE-2022-25152

Critical

Published: 09 June 2022

Published
09 June 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0045 64.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-25152 is a critical-severity Improperly Implemented Security Check for Standard (CWE-358) vulnerability in Itarian On-Premise. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 36.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The ITarian platform (SAAS / on-premise) offers the possibility to run code on agents via a function called procedures. It is possible to require a mandatory approval process. Due to a vulnerability in the approval process, present in any version…

more

prior to 6.35.37347.20040, a malicious actor (with a valid session token) can create a procedure, bypass approval, and execute the procedure. This results in the ability for any user with a valid session token to perform arbitrary code execution and full system take-over on all agents.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

itarian
on-premise
≤ 6.35.37347.20040
itarian
saas service desk
≤ 6.35.37347.20040

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-358

Assessments identify and document improperly implemented security checks, allowing fixes that reduce exploitation of flawed checks.

References