Cyber Resilience

CVE-2022-37017

High

Published: 01 December 2022

Published
01 December 2022
Modified
24 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0795 92.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-37017 is a high-severity an unspecified weakness vulnerability in Broadcom Symantec Endpoint Protection. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Symantec Endpoint Protection Windows agent versions prior to 14.3 RU6 and 14.3 RU5 Patch 1 contain a Security Control Bypass vulnerability that can allow circumvention of the Client User Interface Password protection and Policy Import/Export Password protection features when those controls are enabled. The issue is tracked as CVE-2022-37017 with a CVSS 3.1 score of 7.5 reflecting network attackability, no required credentials or user interaction, and high integrity impact.

An unauthenticated remote attacker can exploit the flaw to bypass the configured password protections, thereby interfering with protected interface or policy operations on affected endpoints. The narrow scope means only the password-protected functions are directly impacted rather than broader agent functionality.

Broadcom security advisories direct customers to upgrade the Windows agent to 14.3 RU6 or 14.3 RU5 Patch 1 to address the bypass condition. The provided references point to the same Broadcom support notification containing remediation guidance and version mappings.

EPSS remains flat at a peak and current value of 0.0795 with no material increase after disclosure.

EU & UK References

Vulnerability details

Symantec Endpoint Protection (Windows) agent, prior to 14.3 RU6/14.3 RU5 Patch 1, may be susceptible to a Security Control Bypass vulnerability, which is a type of issue that can potentially allow a threat actor to circumvent existing security controls. This…

more

CVE applies narrowly to the Client User Interface Password protection and Policy Import/Export Password protection, if it has been enabled.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

broadcom
symantec endpoint protection
≤ 14.3.5.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References