Cyber Resilience

CVE-2022-39197

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 22 September 2022

Published
22 September 2022
Modified
03 November 2025
KEV Added
30 March 2023
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1964 95.6th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-39197 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Helpsystems Cobalt Strike. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 4.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

An XSS vulnerability exists in HelpSystems Cobalt Strike through version 4.7. The flaw resides in the teamserver component and permits a remote attacker to execute arbitrary HTML by supplying a malformed username field inside a Cobalt Strike payload.

Exploitation requires an attacker to first inspect a generated payload, extract its configuration, and then either alter the username field in that payload or craft a new payload containing the same information with a deliberately malformed username. Successful exploitation results in HTML execution on the teamserver with a CVSS score of 6.1 under CWE-79.

Cobalt Strike released an out-of-band update to version 4.7.1 to address the issue. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation activity. The associated EPSS score has remained near 0.20 without a pronounced increase after disclosure.

EU & UK References

Vulnerability details

An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and…

more

then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).

CWE(s)
KEV Date Added
30 March 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

helpsystems
cobalt strike
≤ 4.7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the malformed username field in inspected payloads from being processed as executable HTML by the teamserver.

prevent

Requires prompt application of the vendor patch that eliminates the input-handling flaw in Cobalt Strike 4.7.1.

detect

Enables monitoring of anomalous HTTP or payload submissions that could indicate attempted XSS exploitation against the teamserver.

References