CVE-2022-26233
Published: 03 April 2022
Summary
CVE-2022-26233 is a high-severity Path Traversal (CWE-22) vulnerability in Barco Control Room Management Suite. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Barco Control Room Management through Suite 2.9 Build 0275 contains a directory traversal vulnerability tracked as CVE-2022-26233. The flaw, classified under CWE-22, permits remote attackers to read arbitrary files and components by crafting HTTP requests that begin with the substring "GET /..\..". It carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and no required authentication or user interaction, resulting in high impact to confidentiality.
Unauthenticated attackers reachable over the network can exploit the issue simply by submitting the specified traversal requests, enabling them to retrieve sensitive information and internal components without any prior credentials or user assistance. The attack requires only standard HTTP access to the affected management interface.
Public disclosures on Packet Storm and Full Disclosure detail the traversal technique but do not describe vendor patches or configuration workarounds. The EPSS score reached a peak of 0.8422 before receding to its current value of 0.7004, indicating sustained external interest in the vulnerability after publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-30797
Vulnerability details
Barco Control Room Management through Suite 2.9 Build 0275 was discovered to be vulnerable to directory traversal, allowing attackers to access sensitive information and components. Requests must begin with the "GET /..\.." substring.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.