Cyber Resilience

CVE-2022-33677

High

Published: 12 July 2022

Published
12 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0592 90.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-33677 is a high-severity an unspecified weakness vulnerability in Microsoft Azure Site Recovery. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Azure Site Recovery contains an elevation of privilege vulnerability tracked as CVE-2022-33677. The flaw affects the Azure Site Recovery service and carries a CVSS 3.1 base score of 7.2 with network attack vector, low complexity, and high-privilege requirements, resulting in complete confidentiality, integrity, and availability impact when exploited.

An attacker who already possesses high-privileged credentials can send specially crafted requests over the network to the affected Azure Site Recovery component and thereby elevate privileges to obtain full control over the recovery service and associated resources.

Microsoft’s security advisory at the referenced MSRC page supplies the official mitigation guidance, including available updates and configuration recommendations for Azure Site Recovery customers. The associated EPSS score has remained low, moving only from 0.0592 to a peak of 0.0621 with no indication of significant exploitation interest.

EU & UK References

Vulnerability details

Azure Site Recovery Elevation of Privilege Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
azure site recovery
≤ 9.49.6395.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References