Cyber Resilience

CVE-2022-40443

MediumPublic PoC

Published: 22 September 2022

Published
22 September 2022
Modified
27 May 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.1219 94.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40443 is a medium-severity Path Traversal (CWE-22) vulnerability in Zzcms Zzcms. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

An absolute path traversal vulnerability tracked as CVE-2022-40443 affects ZZCMS 2022 and is assigned CWE-22. The flaw resides in the /one/siteinfo.php script and permits an unauthenticated remote attacker to read arbitrary files on the server by supplying a crafted absolute path in a GET request. It received a CVSS 3.1 base score of 5.3 reflecting network attack vector, low complexity, and no required privileges or user interaction, with impact limited to partial confidentiality loss.

An attacker can exploit the issue simply by issuing a suitably formed HTTP GET to the affected endpoint, bypassing normal access controls to retrieve sensitive configuration files or other data stored on the filesystem. No authentication or special preconditions are needed, making the vulnerability reachable from any network position that can reach the web application.

The associated EPSS score has remained flat at 0.1219 with no material rise after disclosure. Public references consist of GitHub issue reports that document the path traversal vector but supply no additional exploitation details or mitigation guidance.

EU & UK References

Vulnerability details

An absolute path traversal vulnerability in ZZCMS 2022 allows attackers to obtain sensitive information via a crafted GET request sent to /one/siteinfo.php.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zzcms
zzcms
2022

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References