CVE-2022-37027
Published: 21 September 2022
Summary
CVE-2022-37027 is a high-severity Argument Injection (CWE-88) vulnerability in Ahsay Cloud Backup Suite. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Ahsay AhsayCBS version 9.1.4.0 contains a command injection flaw tracked as CVE-2022-37027 and assigned CWE-88. An authenticated administrator can supply arbitrary Java JVM options through the Runtime Options field in the web interface; the injected options are applied on the next service restart and can alter JVM behavior such as enabling remote management interfaces.
An attacker with administrative credentials can therefore enable services such as JMX, bind them to network interfaces, and obtain remote code execution in the context of the AhsayCBS system user. The attack requires high privileges and network access but no user interaction, yielding a CVSS 7.2 rating.
Vendor release notes for version 9.3.2.0 and subsequent hotfixes address the issue by restricting the set of permitted JVM arguments. Compass Security advisory CSNC-2022-009 and the associated Ahsay download pages provide the recommended upgrade path and configuration guidance for administrators.
EPSS for the CVE has remained flat at 0.0621 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-39681
Vulnerability details
Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker…
more
can enable JMX services and consequently achieve remote code execution as the system user.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.