Cyber Resilience

CVE-2022-35914

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 19 September 2022

Published
19 September 2022
Modified
03 November 2025
KEV Added
07 March 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9439 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-35914 is a critical-severity Injection (CWE-74) vulnerability in Glpi-Project Glpi. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is a PHP code injection flaw tracked as CVE-2022-35914, affecting the htmLawedTest.php file within the htmlawed module bundled with GLPI versions through 10.0.2. It is assigned CWE-74 and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible, unauthenticated exploitation that can fully compromise confidentiality, integrity, and availability.

An unauthenticated remote attacker can directly invoke the test script over HTTP to inject and execute arbitrary PHP code on the server. Successful exploitation grants the attacker the ability to run operating-system commands, read or modify application data, and maintain persistent access without requiring credentials or user interaction.

Public references include a GLPI release page for obtaining patches and a functional proof-of-concept script that demonstrates command injection against the vulnerable endpoint. The associated EPSS score has reached a peak of 0.9751 with a current value of 0.9439, indicating sustained and substantial exploitation interest following disclosure.

EU & UK References

Vulnerability details

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

CWE(s)
KEV Date Added
07 March 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

glpi-project
glpi
≤ 10.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires disabling or removing non-essential components such as the exposed htmLawedTest.php script that enables unauthenticated PHP injection.

prevent

Mandates validation and sanitization of all input to the test script, blocking the crafted PHP code that leads to remote execution.

prevent

Enforces access-control policy on web resources so that the vulnerable test endpoint cannot be reached by unauthenticated attackers.

References