CVE-2022-31199
Published: 08 November 2022
Summary
CVE-2022-31199 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Netwrix Auditor. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2022-31199 is a remote code execution vulnerability in the User Activity Video Recording component of Netwrix Auditor. The flaw resides in the underlying protocol used by the component and affects both the Netwrix Auditor server and the agents deployed on monitored systems. It is tracked under CWE-502 and carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can exploit the vulnerability over the network to execute arbitrary code as NT AUTHORITY\SYSTEM on both the Auditor server and any monitored endpoints where the agent is installed.
Public advisories, including analysis from Bishop Fox and CISA’s Known Exploited Vulnerabilities catalog, document the issue and direct administrators to vendor guidance for remediation.
The CVE is listed in CISA’s KEV catalog, confirming observed in-the-wild exploitation. Its EPSS score rose sharply from a low baseline to a peak of 0.5343 on 2024-03-11 before receding, indicating a clear post-disclosure increase in exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-53293
Vulnerability details
Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component,…
more
and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.
- CWE(s)
- KEV Date Added
- 11 July 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CWE-502 deserialization flaw by requiring validation of untrusted data received over the network protocol before any code execution occurs.
Enforces access-control policy on the Auditor component so that unauthenticated remote actors cannot reach the vulnerable protocol endpoints that allow SYSTEM-level code execution.
Boundary-protection mechanisms can restrict network traffic to the Auditor server and agents, reducing the attack surface for unauthenticated RCE attempts.