CVE-2022-28005
Published: 06 May 2022
Summary
CVE-2022-28005 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in 3Cx 3Cx. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-28005 affects the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. The flaw stems from improper access controls on the /Electron/download endpoint that permit directory traversal using backslash path components, allowing retrieval of arbitrary server files and disclosure of cleartext credentials. An authenticated attacker can then upload a file that overwrites a 3CX service binary, resulting in remote code execution as NT AUTHORITY\SYSTEM on Windows. The issue is noted as resulting from an incomplete fix for CVE-2022-48482.
An unauthenticated remote attacker can first exploit the traversal to obtain valid credentials, then authenticate and replace a privileged service binary to achieve full system compromise. The CVSS 9.8 rating reflects the combination of network-accessible unauthenticated file disclosure followed by authenticated code execution without user interaction.
Vendor advisories direct administrators to apply the security hotfix or upgrade to 18 Update 3 FINAL, as documented in the 3CX change log and release announcements.
Public technical analyses describe the full attack chain reachable from the internet, and the EPSS score rose from a low baseline to a peak of 0.3825, indicating growing exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-32491
Vulnerability details
An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker could abuse improperly secured access to arbitrary files on the server (via /Electron/download directory traversal in conjunction with a…
more
path component that uses backslash characters), leading to cleartext credential disclosure. Afterwards, the authenticated attacker is able to upload a file that overwrites a 3CX service binary, leading to Remote Code Execution as NT AUTHORITY\SYSTEM on Windows installations. NOTE: this issue exists because of an incomplete fix for CVE-2022-48482.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Training instructs users on protecting credentials from disclosure or unauthorized access.
Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials.
Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.
Rules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials.
Terminating or revoking credentials stops use of insufficiently protected or lingering credentials post-termination.
Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores.
Credentials or keys delivered out-of-band are not exposed to interception or inadequate protection on the main transport.