Cyber Resilience

CVE-2022-33941

CriticalRCE

Published: 08 September 2022

Published
08 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0522 90.2th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-33941 is a critical-severity OS Command Injection (CWE-78) vulnerability in Alfasado Powercms. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

PowerCMS XMLRPC API from Alfasado Inc. is affected by a command-injection vulnerability (CWE-78) that permits arbitrary Perl script execution. The flaw impacts PowerCMS versions 6.021 and earlier, 5.21 and earlier, 4.51 and earlier, and all unsupported earlier releases. A CVSS 3.1 base score of 9.8 reflects the absence of required authentication or user interaction for exploitation over the network.

An unauthenticated attacker can send a crafted POST request to the XMLRPC API endpoint, causing the server to execute attacker-supplied Perl code that in turn spawns arbitrary operating-system commands with the privileges of the web-server process.

Vendor and JVN advisories published in August 2022 describe the issue and direct administrators to apply the mitigations and updated packages referenced at the PowerCMS and JVN sites. The associated EPSS score has remained flat at 0.0522 since disclosure, indicating no material increase in observed exploitation activity.

EU & UK References

Vulnerability details

PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability. Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it.…

more

Affected products/versions are as follows: PowerCMS 6.021 and earlier (PowerCMS 6 Series), PowerCMS 5.21 and earlier (PowerCMS 5 Series), and PowerCMS 4.51 and earlier (PowerCMS 4 Series). Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

alfasado
powercms
≤ 4.51 · 5.0 — 5.21 · 6.0 — 6.021

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References