CVE-2022-33677
Published: 12 July 2022
Summary
CVE-2022-33677 is a high-severity an unspecified weakness vulnerability in Microsoft Azure Site Recovery. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Azure Site Recovery contains an elevation of privilege vulnerability tracked as CVE-2022-33677. The flaw affects the Azure Site Recovery service and carries a CVSS 3.1 base score of 7.2 with network attack vector, low complexity, and high-privilege requirements, resulting in complete confidentiality, integrity, and availability impact when exploited.
An attacker who already possesses high-privileged credentials can send specially crafted requests over the network to the affected Azure Site Recovery component and thereby elevate privileges to obtain full control over the recovery service and associated resources.
Microsoft’s security advisory at the referenced MSRC page supplies the official mitigation guidance, including available updates and configuration recommendations for Azure Site Recovery customers. The associated EPSS score has remained low, moving only from 0.0592 to a peak of 0.0621 with no indication of significant exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-36720
Vulnerability details
Azure Site Recovery Elevation of Privilege Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.