Cyber Resilience

CVE-2022-4987

HighPublic PoCLPE

Published: 03 April 2026

Published
03 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v4 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0000 0.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4987 is a high-severity Untrusted Search Path (CWE-426) vulnerability. Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).

Deeper analysis

Hirschmann Industrial HiVision versions 08.1.03 prior to 08.1.04 and 08.2.00 are affected by CVE-2022-4987, a vulnerability stemming from insufficient path sanitization in the execution of user-configured external applications (CWE-426). This flaw allows a local attacker to place a malicious binary in the execution path of a configured external application, causing it to execute instead of the intended application. The issue has a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), rated as high severity due to its potential for significant confidentiality, integrity, and availability impacts.

A local attacker with low privileges can exploit this vulnerability by leveraging the lack of path validation to hijack the execution of external applications. Exploitation requires user interaction, such as configuring or triggering the external application in a way that resolves to the attacker's malicious binary. Successful exploitation enables arbitrary code execution, potentially with elevated privileges depending on the context in which the external application runs, allowing full system compromise on the affected HiVision instance.

Mitigation involves upgrading to Hirschmann Industrial HiVision version 08.1.04 or 08.2.00, as indicated by the vulnerability's affected version range. Vendor guidance is available in the Belden Security Bulletin BSECV-2021-03 at https://assets.belden.com/m/62ae167036cb17c3/original/Microsoft-Word-Belden_Security_Bulletin_BSECV-2021-03_1v0-002-docx.pdf, and additional technical details are provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/hirschmann-industrial-hivision-external-application-path-hijacking-leading-to-arbitrary-code-execution.

EU & UK References

Vulnerability details

Hirschmann Industrial HiVision version 08.1.03 prior to 08.1.04 and 08.2.00 contains a vulnerability in the execution of user-configured external applications that allows a local attacker to execute arbitrary binaries. Due to insufficient path sanitization, an attacker can place a malicious…

more

binary in the execution path of a configured external application, causing it to be executed instead of the intended application. This can result in execution with elevated privileges depending on the context of the external application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.008 Path Interception by Search Order Hijacking Stealth
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.
Why these techniques?

Insufficient path sanitization (CWE-426) directly enables an attacker to intercept executable search order by placing a malicious binary in the PATH, hijacking execution of a user-configured external application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25880Shared CWE-426
CVE-2025-27167Shared CWE-426
CVE-2026-25926Shared CWE-426
CVE-2026-32009Shared CWE-426
CVE-2025-1068Shared CWE-426
CVE-2026-21280Shared CWE-426
CVE-2026-30906Shared CWE-426
CVE-2026-23512Shared CWE-426
CVE-2025-21399Shared CWE-426
CVE-2025-24789Shared CWE-426

Affected Assets

Hirschmann Industrial HiVision
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2022-4987 by identifying, reporting, and applying vendor patches that fix the insufficient path sanitization flaw in affected HiVision versions.

prevent

Requires validation of paths provided as inputs to external application execution mechanisms, directly addressing the path sanitization failure exploited in this CVE.

prevent

Restricts user-installed or placed software, preventing local low-privilege attackers from dropping malicious binaries into execution paths used by user-configured external applications.

References