Cyber Resilience

CVE-2022-31199

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 08 November 2022

Published
08 November 2022
Modified
03 November 2025
KEV Added
11 July 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0585 90.8th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31199 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Netwrix Auditor. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2022-31199 is a remote code execution vulnerability in the User Activity Video Recording component of Netwrix Auditor. The flaw resides in the underlying protocol used by the component and affects both the Netwrix Auditor server and the agents deployed on monitored systems. It is tracked under CWE-502 and carries a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can exploit the vulnerability over the network to execute arbitrary code as NT AUTHORITY\SYSTEM on both the Auditor server and any monitored endpoints where the agent is installed.

Public advisories, including analysis from Bishop Fox and CISA’s Known Exploited Vulnerabilities catalog, document the issue and direct administrators to vendor guidance for remediation.

The CVE is listed in CISA’s KEV catalog, confirming observed in-the-wild exploitation. Its EPSS score rose sharply from a low baseline to a peak of 0.5343 on 2024-03-11 before receding, indicating a clear post-disclosure increase in exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component,…

more

and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.

CWE(s)
KEV Date Added
11 July 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

netwrix
auditor
≤ 10.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CWE-502 deserialization flaw by requiring validation of untrusted data received over the network protocol before any code execution occurs.

prevent

Enforces access-control policy on the Auditor component so that unauthenticated remote actors cannot reach the vulnerable protocol endpoints that allow SYSTEM-level code execution.

prevent

Boundary-protection mechanisms can restrict network traffic to the Auditor server and agents, reducing the attack surface for unauthenticated RCE attempts.

References