CVE-2022-40022
Published: 13 February 2023
Summary
CVE-2022-40022 is a critical-severity Command Injection (CWE-77) vulnerability in Microchip Syncserver S650 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Microchip Technology (Microsemi) SyncServer S650 contains a command injection vulnerability tracked as CVE-2022-40022 and assigned CWE-77. The flaw received a CVSS 3.1 score of 9.8, reflecting network attack vector, low attack complexity, and no requirements for authentication or user interaction. The affected device is a network time server used for precise timing and synchronization in enterprise and telecommunications environments.
Unauthenticated remote attackers can exploit the issue over the network to inject and execute arbitrary operating-system commands. Successful exploitation grants full control over the device, enabling complete compromise of confidentiality, integrity, and availability without any prior credentials or user assistance.
Public references include an exploit proof-of-concept published on Packet Storm and a detailed advisory on Securifera, confirming unauthenticated remote command execution is achievable. The EPSS score currently stands at 0.9078 with a recorded peak of 0.9084, indicating sustained high exploitation probability since disclosure. No vendor patch or mitigation guidance is described in the supplied references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-43347
Vulnerability details
Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.