← back
CVE-2022-31199

CVE-2022-31199

CVSS 9.8 CRITICALEPSS 36.2%● KEVCWE-502
In short

A vulnerability in Netwrix Auditor's video recording component allows unauthenticated attackers to remotely execute arbitrary code with system-level privileges on affected servers and monitored systems. This is a critical flaw because attackers can gain complete control without needing valid credentials.

Technical detail

CWE-502 (deserialization of untrusted data) enables unauthenticated remote code execution via the User Activity Video Recording protocol component. An attacker can send malicious messages to the affected component (Netwrix Auditor server or agents) without authentication to achieve arbitrary code execution with NT AUTHORITY\SYSTEM privileges. The vulnerability impacts both the monitoring infrastructure and any systems monitored by Netwrix Auditor.

Summary generated and translated by AI from the official description.
Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found1
githubgithub.com/developerfred/CVE-2022-311990
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://bishopfox.com/blog/netwrix-auditor-advisoryhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-31199