Cyber Resilience

CVE-2022-50973

CriticalPublic PoC

Published: 02 July 2026

Published
02 July 2026
Modified
02 July 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0086 54.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2022-50973 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Buaq (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Yonyou KSOA 9.0 contains an unauthenticated arbitrary file upload vulnerability in the com.sksoft.bill.ImageUpload servlet that allows unauthenticated attackers to upload arbitrary files by submitting a POST request with attacker-controlled filepath and filename parameters without any authentication, file type, extension, or…

more

content validation. Attackers can upload a JSP webshell by specifying a malicious filename and root filepath, with the uploaded file stored under the pictures directory and directly executed by the web server, resulting in unauthenticated remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2023-11-07 (UTC).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Direct unauthenticated file upload to deploy and execute JSP web shell on public-facing server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Buaq
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization requirements before permitting any file upload operations to the ImageUpload servlet.

prevent

Requires validation of all input data including file paths, names, types, extensions, and content to block arbitrary malicious uploads.

prevent

Restricts the system to only necessary functionality, eliminating or disabling unauthenticated file-upload servlets that are not required for core operations.

References