Cyber Resilience

CVE-2022-26233

HighPublic PoC

Published: 03 April 2022

Published
03 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.7004 98.7th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26233 is a high-severity Path Traversal (CWE-22) vulnerability in Barco Control Room Management Suite. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Barco Control Room Management through Suite 2.9 Build 0275 contains a directory traversal vulnerability tracked as CVE-2022-26233. The flaw, classified under CWE-22, permits remote attackers to read arbitrary files and components by crafting HTTP requests that begin with the substring "GET /..\..". It carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and no required authentication or user interaction, resulting in high impact to confidentiality.

Unauthenticated attackers reachable over the network can exploit the issue simply by submitting the specified traversal requests, enabling them to retrieve sensitive information and internal components without any prior credentials or user assistance. The attack requires only standard HTTP access to the affected management interface.

Public disclosures on Packet Storm and Full Disclosure detail the traversal technique but do not describe vendor patches or configuration workarounds. The EPSS score reached a peak of 0.8422 before receding to its current value of 0.7004, indicating sustained external interest in the vulnerability after publication.

EU & UK References

Vulnerability details

Barco Control Room Management through Suite 2.9 Build 0275 was discovered to be vulnerable to directory traversal, allowing attackers to access sensitive information and components. Requests must begin with the "GET /..\.." substring.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

barco
control room management suite
≤ 2.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References