CVE-2022-41573
Published: 07 January 2025
Summary
CVE-2022-41573 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
Ovidentia 8.3 contains an unrestricted file upload vulnerability tracked as CVE-2022-41573 and CWE-434. The application's file upload feature accepts executable content without validation, allowing a user to upload a PNG image that embeds PHP code and subsequently rename the file to a .php extension. The resulting file is then served from an images/common/ path, enabling remote code execution on the server.
An unauthenticated remote attacker can exploit the flaw over the network with low complexity. By uploading and renaming the crafted file, the attacker obtains arbitrary code execution with the privileges of the web server process, which corresponds to the CVSS 9.8 rating reflecting full confidentiality, integrity, and availability impact.
Public references include the project's Bitbucket repository and a GitHub repository maintained by Orange Cyberdefense that hosts a proof-of-concept exploit for CVE-2022-41573. No vendor advisory or patch information is provided in the available references.
The associated EPSS score has remained near 0.13 with only minor variation between its recorded peak and current value.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-44765
Vulnerability details
An issue was discovered in Ovidentia 8.3. The file upload feature does not prevent the uploading of executable files. A user can upload a .png file containing PHP code and then rename it to have the .php extension. It will…
more
then be accessible at an images/common/ URI for remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public web app directly enables web shell deployment (PHP) for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of file upload inputs to detect and reject disguised executable PHP code in image files.
Enforces secure web server configuration settings to disable PHP execution in publicly accessible upload directories like images/common/.
Deploys malicious code protection mechanisms at file upload entry points to scan and eradicate embedded PHP code enabling remote execution.