CVE-2022-44088
Published: 10 November 2022
Summary
CVE-2022-44088 is a critical-severity Code Injection (CWE-94) vulnerability in Ecisp Espcms. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
ESPCMS version P8.21120101 contains a remote code execution vulnerability in the INPUT_ISDESCRIPTION component. The flaw is tracked as CVE-2022-44088 with a CVSS 3.1 score of 9.8 and is associated with CWE-94 code injection, allowing unauthenticated network attackers to supply crafted input that results in arbitrary code execution on the server.
An attacker with no credentials or user interaction can send malicious requests directly to the affected component over the network, achieving full confidentiality, integrity, and availability impact on the target system. The high severity rating reflects that successful exploitation grants complete control equivalent to code running under the web application's privileges.
Public references consist of the vendor site espcms.com and an issue report on Gitee, but no explicit patch details or mitigation guidance are provided in the available references. The EPSS score rose from low values after disclosure to a peak of 0.1531 in late 2025 before receding to the current 0.0447, indicating a period of increased exploitation interest well after the initial publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-47039
Vulnerability details
ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component INPUT_ISDESCRIPTION.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.