CVE-2022-4987
Published: 03 April 2026
Summary
CVE-2022-4987 is a high-severity Untrusted Search Path (CWE-426) vulnerability. Its CVSS base score is 7.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).
Deeper analysis
Hirschmann Industrial HiVision versions 08.1.03 prior to 08.1.04 and 08.2.00 are affected by CVE-2022-4987, a vulnerability stemming from insufficient path sanitization in the execution of user-configured external applications (CWE-426). This flaw allows a local attacker to place a malicious binary in the execution path of a configured external application, causing it to execute instead of the intended application. The issue has a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), rated as high severity due to its potential for significant confidentiality, integrity, and availability impacts.
A local attacker with low privileges can exploit this vulnerability by leveraging the lack of path validation to hijack the execution of external applications. Exploitation requires user interaction, such as configuring or triggering the external application in a way that resolves to the attacker's malicious binary. Successful exploitation enables arbitrary code execution, potentially with elevated privileges depending on the context in which the external application runs, allowing full system compromise on the affected HiVision instance.
Mitigation involves upgrading to Hirschmann Industrial HiVision version 08.1.04 or 08.2.00, as indicated by the vulnerability's affected version range. Vendor guidance is available in the Belden Security Bulletin BSECV-2021-03 at https://assets.belden.com/m/62ae167036cb17c3/original/Microsoft-Word-Belden_Security_Bulletin_BSECV-2021-03_1v0-002-docx.pdf, and additional technical details are provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/hirschmann-industrial-hivision-external-application-path-hijacking-leading-to-arbitrary-code-execution.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-55962
Vulnerability details
Hirschmann Industrial HiVision version 08.1.03 prior to 08.1.04 and 08.2.00 contains a vulnerability in the execution of user-configured external applications that allows a local attacker to execute arbitrary binaries. Due to insufficient path sanitization, an attacker can place a malicious…
more
binary in the execution path of a configured external application, causing it to be executed instead of the intended application. This can result in execution with elevated privileges depending on the context of the external application.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insufficient path sanitization (CWE-426) directly enables an attacker to intercept executable search order by placing a malicious binary in the PATH, hijacking execution of a user-configured external application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2022-4987 by identifying, reporting, and applying vendor patches that fix the insufficient path sanitization flaw in affected HiVision versions.
Requires validation of paths provided as inputs to external application execution mechanisms, directly addressing the path sanitization failure exploited in this CVE.
Restricts user-installed or placed software, preventing local low-privilege attackers from dropping malicious binaries into execution paths used by user-configured external applications.