CVE-2022-50981
Published: 02 February 2026
Summary
CVE-2022-50981 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Innomic (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).
Deeper analysis
CVE-2022-50981 is a critical authentication vulnerability (CWE-306: Missing Authentication for Critical Function) affecting certain Innomic devices, which ship without a default password and do not enforce setting one. This results in unauthenticated remote access to the devices, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue was published on 2026-02-02.
An unauthenticated attacker with network access to the affected devices can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants full access to the device, enabling high-impact confidentiality, integrity, and availability compromises, such as data exfiltration, modification, or denial of service.
Mitigation details are provided in Innomic advisories, including the CSAF whitepaper at https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html and JSON format at https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json. Security practitioners should consult these for patching instructions or configuration changes to enforce authentication.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-55958
Vulnerability details
An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication for critical network-accessible function directly enables remote exploitation of a public-facing device without credentials or interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 requires managing authenticators including changing default authenticator content prior to first use and establishing initial authenticators, directly preventing deployment of devices without required passwords.
AC-2 ensures proper account management including creation, authorization, and monitoring of accounts with authenticators, mitigating unauthenticated access to devices.
AC-14 identifies and restricts permitted actions without identification or authentication, ensuring full device access requires authentication rather than allowing it by default.