Cyber Resilience

CVE-2022-40022

CriticalPublic PoCRCE

Published: 13 February 2023

Published
13 February 2023
Modified
21 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9078 99.6th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40022 is a critical-severity Command Injection (CWE-77) vulnerability in Microchip Syncserver S650 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Microchip Technology (Microsemi) SyncServer S650 contains a command injection vulnerability tracked as CVE-2022-40022 and assigned CWE-77. The flaw received a CVSS 3.1 score of 9.8, reflecting network attack vector, low attack complexity, and no requirements for authentication or user interaction. The affected device is a network time server used for precise timing and synchronization in enterprise and telecommunications environments.

Unauthenticated remote attackers can exploit the issue over the network to inject and execute arbitrary operating-system commands. Successful exploitation grants full control over the device, enabling complete compromise of confidentiality, integrity, and availability without any prior credentials or user assistance.

Public references include an exploit proof-of-concept published on Packet Storm and a detailed advisory on Securifera, confirming unauthenticated remote command execution is achievable. The EPSS score currently stands at 0.9078 with a recorded peak of 0.9084, indicating sustained high exploitation probability since disclosure. No vendor patch or mitigation guidance is described in the supplied references.

EU & UK References

Vulnerability details

Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microchip
syncserver s650 firmware
all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References