Cyber Resilience

CVE-2022-40916

CriticalPublic PoC

Published: 06 February 2025

Published
06 February 2025
Modified
31 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0057 69.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40916 is a critical-severity Session Fixation (CWE-384) vulnerability in Prasathmani Tiny File Manager. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-40916 is a session fixation vulnerability affecting Tiny File Manager versions 2.4.7 and below. This issue, linked to CWE-384, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact across confidentiality, integrity, and availability.

The vulnerability enables remote attackers to exploit it over the network with low attack complexity, requiring no authentication privileges or user interaction. By fixing a session identifier, an attacker can hijack authenticated sessions, achieving high-impact unauthorized access, data manipulation, and disruption of the file manager's operations.

Mitigation details and patches are available in the Tiny File Manager GitHub repository at https://github.com/prasathmani/tinyfilemanager. A proof-of-concept demonstrating the exploit is provided at https://github.com/whitej3rry/CVE-2022-40916/blob/main/PoC.md.

EU & UK References

Vulnerability details

Tiny File Manager v2.4.7 and below is vulnerable to session fixation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Session fixation in public-facing web app directly enables remote exploitation (T1190) and use of hijacked web session material for unauthorized access (T1550.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-27661Shared CWE-384
CVE-2026-2177Shared CWE-384
CVE-2026-25101Shared CWE-384
CVE-2025-7015Shared CWE-384
CVE-2026-24352Shared CWE-384
CVE-2026-33492Shared CWE-384
CVE-2025-63529Shared CWE-384
CVE-2025-52689Shared CWE-384
CVE-2023-53776Shared CWE-384
CVE-2026-23796Shared CWE-384

Affected Assets

prasathmani
tiny file manager
≤ 2.4.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the session fixation vulnerability by identifying, patching, and verifying the fix as provided in the Tiny File Manager repository.

prevent

Mandates mechanisms to protect the authenticity of remote communications sessions, directly countering session fixation by ensuring session identifiers cannot be improperly reused.

prevent

Automatically terminates user sessions after defined inactivity periods or events, reducing the time window for attackers to exploit fixed session identifiers.

References