Cyber Resilience

CVE-2022-36536

CriticalPublic PoC

Published: 16 September 2022

Published
16 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4801 97.8th percentile
Risk Priority 48 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-36536 is a critical-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Syncovery Syncovery. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-36536 is a privilege-escalation flaw in the post_applogin.php component of Syncovery 9 for Linux versions 9.47x and earlier. The issue stems from insufficient randomness in session-token generation, classified under CWE-330, and carries a CVSS 3.1 score of 9.8 reflecting network attackability without authentication or user interaction.

An unauthenticated remote attacker can supply crafted session tokens to the affected endpoint and obtain elevated privileges, resulting in full compromise of confidentiality, integrity, and availability on the target system.

The referenced advisory at mgm-sp.com details multiple vulnerabilities in the same product line and points to vendor sites super.com and syncovery.com for updates; no explicit patch or workaround text is supplied in the available references.

The associated EPSS score has remained flat at its peak value of 0.4801 since disclosure.

EU & UK References

Vulnerability details

An issue in the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate privileges via creating crafted session tokens.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

syncovery
syncovery
8.00 — 9.48j

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-330

Key generation under controlled management uses approved random-bit sources rather than insufficiently random values.

References