Cyber Resilience

CVE-2022-31706

CriticalPublic PoC

Published: 26 January 2023

Published
26 January 2023
Modified
02 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9018 99.6th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31706 is a critical-severity Path Traversal (CWE-22) vulnerability in Vmware Vrealize Log Insight. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vRealize Log Insight appliance is affected by a directory traversal vulnerability tracked as CVE-2022-31706. The flaw, assigned CWE-22, permits an unauthenticated remote actor to inject arbitrary files onto the underlying operating system, which can be leveraged for remote code execution. It carries a CVSS 3.1 base score of 9.8 reflecting network-accessible attack complexity with no required credentials or user interaction.

An attacker can send specially crafted requests to the affected appliance to write malicious files and subsequently execute code, resulting in full compromise of the system confidentiality, integrity, and availability. The vulnerability is exploitable over the network without authentication, enabling any remote adversary to achieve these outcomes.

VMware’s advisory VMSA-2023-0001 addresses the issue and provides remediation guidance for impacted versions of vRealize Log Insight. Public exploit code demonstrating unauthenticated remote code execution has been published, and the CVE maintains an EPSS score of 0.9018, indicating sustained exploitation interest since disclosure.

EU & UK References

Vulnerability details

The vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
vrealize log insight
3.0 — 4.8 · 8.0.0 — 8.10.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References