CVE-2022-25226
Published: 18 April 2022
Summary
CVE-2022-25226 is a critical-severity an unspecified weakness vulnerability in Cybelsoft Thinvnc. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
ThinVNC version 1.0b1 contains an authentication bypass vulnerability that permits an unauthenticated remote attacker to obtain a valid session identifier simply by issuing a request to the endpoint /cmd?cmd=connect. The affected component is the web-based remote desktop service exposed by ThinVNC on TCP port 8080. Once a session is established, the same unauthenticated channel can be used to inject arbitrary keyboard and mouse events, resulting in remote code execution on the underlying host.
An attacker with network access to the ThinVNC listener can exploit the flaw without any credentials or user interaction. Successful exploitation grants the attacker the ability to control the desktop session, execute operating-system commands, and fully compromise the confidentiality, integrity, and availability of the server, consistent with the CVSS 10.0 rating.
Public advisories published by Fluid Attacks at the referenced URLs describe the issue and confirm that no authentication checks are performed on the connect command, but they do not detail vendor-supplied patches or configuration work-arounds.
The associated EPSS score has remained at 0.8189 since disclosure, indicating sustained but not newly emerging exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29925
Vulnerability details
ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via 'http://thin-vnc:8080/cmd?cmd=connect' by obtaining a valid SID without any kind of authentication. It is possible to achieve code execution on the server by sending keyboard or mouse events…
more
to the server.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.