Cyber Resilience

CVE-2022-4116

Critical

Published: 22 November 2022

Published
22 November 2022
Modified
29 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0290 86.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4116 is a critical-severity an unspecified weakness vulnerability in Quarkus Quarkus. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 13.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A vulnerability was identified in the Quarkus Dev UI Config Editor that permits drive-by localhost attacks resulting in remote code execution. The flaw affects the Quarkus framework and carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation without authentication or user interaction.

An attacker can target the exposed development interface from a remote system, leveraging the localhost attack vector to execute arbitrary code on the affected host and obtain full confidentiality, integrity, and availability impact.

EPSS for the CVE rose from low values to a peak of 0.1890 on 2025-12-11 before receding to the current 0.0290, indicating a period of increased exploitation interest after disclosure that later subsided. Red Hat advisory pages reference the issue but supply no additional mitigation details in the available records.

EU & UK References

Vulnerability details

A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

redhat
build of quarkus
all versions
quarkus
quarkus
≤ 2.13.5 · 2.14.0 — 2.14.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References