Cyber Resilience

CVE-2022-37027

HighPublic PoC

Published: 21 September 2022

Published
21 September 2022
Modified
28 May 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0621 91.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-37027 is a high-severity Argument Injection (CWE-88) vulnerability in Ahsay Cloud Backup Suite. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Ahsay AhsayCBS version 9.1.4.0 contains a command injection flaw tracked as CVE-2022-37027 and assigned CWE-88. An authenticated administrator can supply arbitrary Java JVM options through the Runtime Options field in the web interface; the injected options are applied on the next service restart and can alter JVM behavior such as enabling remote management interfaces.

An attacker with administrative credentials can therefore enable services such as JMX, bind them to network interfaces, and obtain remote code execution in the context of the AhsayCBS system user. The attack requires high privileges and network access but no user interaction, yielding a CVSS 7.2 rating.

Vendor release notes for version 9.3.2.0 and subsequent hotfixes address the issue by restricting the set of permitted JVM arguments. Compass Security advisory CSNC-2022-009 and the associated Ahsay download pages provide the recommended upgrade path and configuration guidance for administrators.

EPSS for the CVE has remained flat at 0.0621 with no material increase after disclosure.

EU & UK References

Vulnerability details

Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker…

more

can enable JMX services and consequently achieve remote code execution as the system user.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ahsay
cloud backup suite
9.1.4.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References