CVE-2022-39197
Published: 22 September 2022
Summary
CVE-2022-39197 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Helpsystems Cobalt Strike. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 4.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
An XSS vulnerability exists in HelpSystems Cobalt Strike through version 4.7. The flaw resides in the teamserver component and permits a remote attacker to execute arbitrary HTML by supplying a malformed username field inside a Cobalt Strike payload.
Exploitation requires an attacker to first inspect a generated payload, extract its configuration, and then either alter the username field in that payload or craft a new payload containing the same information with a deliberately malformed username. Successful exploitation results in HTML execution on the teamserver with a CVSS score of 6.1 under CWE-79.
Cobalt Strike released an out-of-band update to version 4.7.1 to address the issue. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation activity. The associated EPSS score has remained near 0.20 without a pronounced increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-41742
Vulnerability details
An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and…
more
then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).
- CWE(s)
- KEV Date Added
- 30 March 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the malformed username field in inspected payloads from being processed as executable HTML by the teamserver.
Requires prompt application of the vendor patch that eliminates the input-handling flaw in Cobalt Strike 4.7.1.
Enables monitoring of anomalous HTTP or payload submissions that could indicate attempted XSS exploitation against the teamserver.