Cyber Resilience

CVE-2022-50925

HighPublic PoC

Published: 13 January 2026

Published
13 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2022-50925 is a high-severity Origin Validation Error (CWE-346) vulnerability in Prowise Reflect. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-15 (Collaborative Computing Devices and Applications) and SC-41 (Port and I/O Device Access).

Deeper analysis

Prowise Reflect version 1.0.9 is affected by CVE-2022-50925, a remote keystroke injection vulnerability. The flaw stems from an exposed WebSocket endpoint on port 8082 that allows attackers to send keyboard events. By crafting specific WebSocket messages, adversaries can inject keystrokes remotely, enabling actions such as opening applications and typing arbitrary text. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-346.

Any remote attacker can exploit this vulnerability without authentication or user interaction, as it requires only network access to the WebSocket on port 8082. Exploitation involves creating a malicious web page that connects to the target device and sends crafted messages mimicking keyboard inputs. Successful attacks grant attackers full control over the victim's machine, potentially leading to execution of commands, data exfiltration, or deployment of malware through injected keystrokes.

Advisories from VulnCheck and Exploit-DB document the issue, including a proof-of-concept exploit available at https://www.exploit-db.com/exploits/50796. The vendor site at https://www.prowise.com/ is referenced, though specific patch details are not detailed in available sources. Practitioners should isolate or firewall port 8082 and monitor for anomalous WebSocket traffic until mitigation is confirmed.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Prowise Reflect version 1.0.9 contains a remote keystroke injection vulnerability that allows attackers to send keyboard events through an exposed WebSocket on port 8082. Attackers can craft malicious web pages to inject keystrokes, opening applications and typing arbitrary text by…

more

sending specific WebSocket messages.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
Why these techniques?

Exposed unauthenticated WebSocket enables remote exploitation of public-facing app (T1190); keystroke injection directly facilitates command execution via shell (T1059.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6508Shared CWE-346
CVE-2025-1102Shared CWE-346
CVE-2025-21511Shared CWE-346
CVE-2026-22794Shared CWE-346
CVE-2024-8487Shared CWE-346
CVE-2026-41057Shared CWE-346
CVE-2026-23552Shared CWE-346
CVE-2025-7659Shared CWE-346
CVE-2025-23023Shared CWE-346
CVE-2026-34373Shared CWE-346

Affected Assets

prowise
reflect
1.0.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prohibits unauthorized remote activation of collaborative computing mechanisms like the exposed WebSocket used for keystroke injection.

prevent

Monitors and controls communications at system boundaries to block unauthorized network access to the vulnerable WebSocket on port 8082.

prevent

Restricts access to specific ports like 8082 and I/O interfaces exploited for remote keystroke injection.

References