Cyber Resilience

CVE-2022-44088

CriticalPublic PoCRCE

Published: 10 November 2022

Published
10 November 2022
Modified
01 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0447 89.3th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-44088 is a critical-severity Code Injection (CWE-94) vulnerability in Ecisp Espcms. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

ESPCMS version P8.21120101 contains a remote code execution vulnerability in the INPUT_ISDESCRIPTION component. The flaw is tracked as CVE-2022-44088 with a CVSS 3.1 score of 9.8 and is associated with CWE-94 code injection, allowing unauthenticated network attackers to supply crafted input that results in arbitrary code execution on the server.

An attacker with no credentials or user interaction can send malicious requests directly to the affected component over the network, achieving full confidentiality, integrity, and availability impact on the target system. The high severity rating reflects that successful exploitation grants complete control equivalent to code running under the web application's privileges.

Public references consist of the vendor site espcms.com and an issue report on Gitee, but no explicit patch details or mitigation guidance are provided in the available references. The EPSS score rose from low values after disclosure to a peak of 0.1531 in late 2025 before receding to the current 0.0447, indicating a period of increased exploitation interest well after the initial publication.

EU & UK References

Vulnerability details

ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component INPUT_ISDESCRIPTION.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ecisp
espcms
p8.21120101

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References