Cyber Resilience

CVE-2022-50981

Critical

Published: 02 February 2026

Published
02 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0053 40.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2022-50981 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Innomic (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).

Deeper analysis

CVE-2022-50981 is a critical authentication vulnerability (CWE-306: Missing Authentication for Critical Function) affecting certain Innomic devices, which ship without a default password and do not enforce setting one. This results in unauthenticated remote access to the devices, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue was published on 2026-02-02.

An unauthenticated attacker with network access to the affected devices can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants full access to the device, enabling high-impact confidentiality, integrity, and availability compromises, such as data exfiltration, modification, or denial of service.

Mitigation details are provided in Innomic advisories, including the CSAF whitepaper at https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html and JSON format at https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json. Security practitioners should consult these for patching instructions or configuration changes to enforce authentication.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication for critical network-accessible function directly enables remote exploitation of a public-facing device without credentials or interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306
CVE-2025-58083Shared CWE-306
CVE-2025-21515Shared CWE-306
CVE-2026-6376Shared CWE-306

Affected Assets

Innomic
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires managing authenticators including changing default authenticator content prior to first use and establishing initial authenticators, directly preventing deployment of devices without required passwords.

prevent

AC-2 ensures proper account management including creation, authorization, and monitoring of accounts with authenticators, mitigating unauthenticated access to devices.

prevent

AC-14 identifies and restricts permitted actions without identification or authentication, ensuring full device access requires authentication rather than allowing it by default.

References