CVE-2022-36534
Published: 16 September 2022
Summary
CVE-2022-36534 is a high-severity an unspecified weakness vulnerability in Syncovery Syncovery. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Syncovery 9 for Linux versions 9.47x and earlier contain multiple remote code execution flaws in the web GUI component post_profilesettings.php. The issues are triggered through the Job_ExecuteBefore and Job_ExecuteAfter parameters, which accept unsanitized input that is later executed by the application.
An attacker with a valid low-privileged account on the Syncovery web interface can supply arbitrary commands in these fields over the network. Successful exploitation grants the ability to run operating-system commands with the privileges of the Syncovery process, resulting in full confidentiality, integrity, and availability impact on the affected Linux host.
Public exploit code has been available since disclosure, and the vulnerability’s EPSS score rose from low values to a peak of 0.8466 in late 2025 before settling at 0.7491, indicating renewed attacker interest well after the original publication. Detailed technical write-ups and proof-of-concept material are published at the mgm-sp.com advisory and Packet Storm entries linked in the CVE references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-39242
Vulnerability details
Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below was discovered to contain multiple remote code execution (RCE) vulnerabilities via the Job_ExecuteBefore and Job_ExecuteAfter parameters at post_profilesettings.php.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.