CVE-2022-3365

CriticalPublic PoC

Published: 28 January 2025

Published

28 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.5260 98.0th percentile

Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3365 is a critical-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-8 (Transmission Confidentiality and Integrity).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-8 Transmission Confidentiality and Integrity good match

prevent

Requires protection of transmission confidentiality and integrity using approved cryptography, directly countering the cleartext transmission of a trivial substitution cipher.

IA-5 Authenticator Management good match

prevent

Mandates changing default authenticators prior to first use and managing authenticator strength, preventing exploitation via the default password.

SI-10 Information Input Validation good match

prevent

Enforces validation of information inputs to the custom control protocol, blocking OS command injection attempts.

NVD Description

Due to reliance on a trivial substitution cipher, sent in cleartext, and the reliance on a default password when the user does not set a password, the Remote Mouse Server by Emote Interactive can be abused by attackers to inject…

OS commands over theproduct's custom control protocol. A Metasploit module was written and tested against version 4.110, the current version when this CVE was reserved.

Deeper analysisAI

CVE-2022-3365 is a critical vulnerability in the Remote Mouse Server by Emote Interactive, stemming from reliance on a trivial substitution cipher transmitted in cleartext and the use of a default password when users do not configure one. This design flaw enables attackers to inject operating system commands via the product's custom control protocol. The vulnerability was tested against version 4.110, which was the current version at the time the CVE was reserved, and is classified under CWE-327 (Broken or Risky Cryptographic Algorithm) with a CVSS v3.1 base score of 9.8.

The attack requires no privileges or user interaction, allowing remote attackers to exploit it over the network with low complexity (AV:N/AC:L/PR:N/UI:N/S:U). Successful exploitation grants high-impact access to execute arbitrary OS commands on the affected system, compromising confidentiality, integrity, and availability (C:H/I:H/A:H).

The primary reference is a GitHub pull request for a Metasploit module (https://github.com/rapid7/metasploit-framework/pull/17067), which implements and tests an exploit against version 4.110. No vendor advisories or patches are detailed in the provided information.

Details

CWE(s): CWE-327

CVEs Like This One

CVE-2024-31896Shared CWE-327

CVE-2026-26219Shared CWE-327

CVE-2025-14480Shared CWE-327

CVE-2024-41763Shared CWE-327

CVE-2024-27256Shared CWE-327

CVE-2026-1626Shared CWE-327

CVE-2025-58743Shared CWE-327

CVE-2024-43178Shared CWE-327

CVE-2024-52884Shared CWE-327

CVE-2024-38320Shared CWE-327

References

https://github.com/rapid7/metasploit-framework/pull/17067
cve@rapid7.com