Cyber Resilience

CVE-2022-2550

HighPublic PoCRCE

Published: 27 July 2022

Published
27 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0879 92.7th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2550 is a high-severity OS Command Injection (CWE-78) vulnerability in Hestiacp Control Panel. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-2550 is an OS command injection vulnerability, tracked as CWE-78, that affects the hestiacp/hestiacp repository prior to version 1.6.5. The flaw received a CVSS 3.1 base score of 8.8, reflecting a network attack vector, low attack complexity, and low privileges required with no user interaction needed, resulting in high impact to confidentiality, integrity, and availability.

An authenticated attacker with low privileges can supply crafted input that is passed to operating-system commands, enabling arbitrary command execution on the underlying host. Successful exploitation grants the attacker the ability to read, modify, or delete data and potentially disrupt service operations without further authentication steps.

The referenced GitHub commit (3d4c309cf138943cfd1e71ae51556406987aa4bf) and associated huntr.dev report document the remediation, which was incorporated into release 1.6.5; administrators should apply that update to eliminate the vulnerable code paths.

EPSS for the CVE rose from lower values to a peak of 0.1045 on 2025-12-11 before receding to the current 0.0879, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hestiacp
control panel
≤ 1.6.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References