Cyber Resilience

CVE-2022-44006

CriticalPublic PoC

Published: 16 November 2022

Published
16 November 2022
Modified
30 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0571 90.6th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-44006 is a critical-severity Path Traversal (CWE-22) vulnerability in Backclick Backclick. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-44006 affects BACKCLICK Professional version 5.9.63 and stems from improper validation or sanitization of upload filenames. An externally reachable update function allows files to be written outside the intended target directory, corresponding to CWE-22 path traversal and carrying a CVSS 3.1 score of 9.8.

Unauthenticated remote attackers can exploit the flaw over the network without user interaction to upload arbitrary content, including executable files, and thereby achieve remote code execution on the affected system.

Public advisories published by SySS at the referenced URLs describe the issue in detail and are accompanied by a related technical blog post on multiple vulnerabilities in the same product.

The associated EPSS score has remained flat at 0.0571 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

An issue was discovered in BACKCLICK Professional 5.9.63. Due to improper validation or sanitization of upload filenames, an externally reachable, unauthenticated update function permits writing files outside the intended target location. Achieving remote code execution is possible, e.g., by uploading…

more

an executable file.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

backclick
backclick
5.9.63

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References