CVE-2022-31199 (GCVE-0-2022-31199)

Vulnerability from cvelistv5 – Published: 2022-11-08 00:00 – Updated: 2025-10-21 23:15
VLAI? CISA KEV
Summary
Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.
Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • n/a
Assigner
References
CISA KEV
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: bf5b22fe-70a4-4a8c-8e42-2e6c2e766ffb

Vulnerability ID: CVE-2022-31199

Status: Confirmed

Status Updated: 2023-07-11 00:00 UTC

Exploited: Yes

Timestamps
First Seen: 2023-07-11
Asserted: 2023-07-11
Scope
Notes: KEV entry: Netwrix Auditor Insecure Object Deserialization Vulnerability | Affected: Netwrix / Auditor | Description: Netwrix Auditor User Activity Video Recording component contains an insecure objection deserialization vulnerability that allows an unauthenticated, remote attacker to execute code as the NT AUTHORITY\SYSTEM user. Successful exploitation requires that the attacker is able to reach port 9004/TCP, which is commonly blocked by standard enterprise firewalling. | Required action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable. | Due date: 2023-08-01 | Known ransomware campaign use (KEV): Known | Notes (KEV): Patch application requires login to customer portal: https://security.netwrix.com/Account/SignIn?ReturnUrl=%2FAdvisories%2FADV-2022-003; https://nvd.nist.gov/vuln/detail/CVE-2022-31199
Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details
Cwes CWE-502 CWE-122
Feed CISA Known Exploited Vulnerabilities Catalog
Product Auditor
Due Date 2023-08-01
Date Added 2023-07-11
Vendorproject Netwrix
Vulnerabilityname Netwrix Auditor Insecure Object Deserialization Vulnerability
Knownransomwarecampaignuse Known
References
Created: 2026-02-02 12:26 UTC | Updated: 2026-02-02 12:26 UTC
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:11:39.678Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bishopfox.com/blog/netwrix-auditor-advisory"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-31199",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2023-12-09T05:05:05.529175Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2023-07-11",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-31199"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-502",
                "description": "CWE-502 Deserialization of Untrusted Data",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:15:32.384Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-31199"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2023-07-11T00:00:00+00:00",
            "value": "CVE-2022-31199 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-08T00:00:00.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://bishopfox.com/blog/netwrix-auditor-advisory"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-31199",
    "datePublished": "2022-11-08T00:00:00.000Z",
    "dateReserved": "2022-05-18T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:15:32.384Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2022-31199",
      "cwes": "[\"CWE-502\", \"CWE-122\"]",
      "dateAdded": "2023-07-11",
      "dueDate": "2023-08-01",
      "knownRansomwareCampaignUse": "Known",
      "notes": "Patch application requires login to customer portal: https://security.netwrix.com/Account/SignIn?ReturnUrl=%2FAdvisories%2FADV-2022-003;  https://nvd.nist.gov/vuln/detail/CVE-2022-31199",
      "product": "Auditor",
      "requiredAction": "Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.",
      "shortDescription": "Netwrix Auditor User Activity Video Recording component contains an insecure objection deserialization vulnerability that allows an unauthenticated, remote attacker to execute code as the NT AUTHORITY\\SYSTEM user. Successful exploitation requires that the attacker is able to reach port 9004/TCP, which is commonly blocked by standard enterprise firewalling.",
      "vendorProject": "Netwrix",
      "vulnerabilityName": "Netwrix Auditor Insecure Object Deserialization Vulnerability"
    },
    "fkie_nvd": {
      "cisaActionDue": "2023-08-01",
      "cisaExploitAdd": "2023-07-11",
      "cisaRequiredAction": "Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.",
      "cisaVulnerabilityName": "Netwrix Auditor Insecure Object Deserialization Vulnerability",
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netwrix:auditor:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"10.5\", \"matchCriteriaId\": \"A18EC504-8BFD-4A3D-AB67-73E3B329030A\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\\\\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.\"}, {\"lang\": \"es\", \"value\": \"Existen vulnerabilidades de ejecuci\\u00f3n remota de c\\u00f3digo en el componente de grabaci\\u00f3n de v\\u00eddeo de actividad del usuario de Netwrix Auditor que afectan tanto al servidor de Netwrix Auditor como a los agentes instalados en los sistemas monitoreados. Las vulnerabilidades de ejecuci\\u00f3n remota de c\\u00f3digo existen dentro del protocolo subyacente utilizado por el componente y potencialmente permiten que un atacante remoto no autenticado ejecute c\\u00f3digo arbitrario como usuario NT AUTHORITY\\\\SYSTEM en los sistemas afectados, incluidos los sistemas que monitorea Netwrix Auditor.\"}]",
      "id": "CVE-2022-31199",
      "lastModified": "2024-11-21T07:04:06.597",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2022-11-08T01:15:09.767",
      "references": "[{\"url\": \"https://bishopfox.com/blog/netwrix-auditor-advisory\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://bishopfox.com/blog/netwrix-auditor-advisory\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-31199\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-11-08T01:15:09.767\",\"lastModified\":\"2025-11-03T16:20:05.697\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\\\\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.\"},{\"lang\":\"es\",\"value\":\"Existen vulnerabilidades de ejecuci\u00f3n remota de c\u00f3digo en el componente de grabaci\u00f3n de v\u00eddeo de actividad del usuario de Netwrix Auditor que afectan tanto al servidor de Netwrix Auditor como a los agentes instalados en los sistemas monitoreados. Las vulnerabilidades de ejecuci\u00f3n remota de c\u00f3digo existen dentro del protocolo subyacente utilizado por el componente y potencialmente permiten que un atacante remoto no autenticado ejecute c\u00f3digo arbitrario como usuario NT AUTHORITY\\\\SYSTEM en los sistemas afectados, incluidos los sistemas que monitorea Netwrix Auditor.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"cisaExploitAdd\":\"2023-07-11\",\"cisaActionDue\":\"2023-08-01\",\"cisaRequiredAction\":\"Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.\",\"cisaVulnerabilityName\":\"Netwrix Auditor Insecure Object Deserialization Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netwrix:auditor:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"10.5\",\"matchCriteriaId\":\"A18EC504-8BFD-4A3D-AB67-73E3B329030A\"}]}]}],\"references\":[{\"url\":\"https://bishopfox.com/blog/netwrix-auditor-advisory\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://bishopfox.com/blog/netwrix-auditor-advisory\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-31199\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://bishopfox.com/blog/netwrix-auditor-advisory\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T07:11:39.678Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-31199\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2023-12-09T05:05:05.529175Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2023-07-11\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-31199\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2023-07-11T00:00:00+00:00\", \"value\": \"CVE-2022-31199 added to CISA KEV\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-03T14:27:47.118Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://bishopfox.com/blog/netwrix-auditor-advisory\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\\\\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2022-11-08T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-31199\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T18:44:55.896Z\", \"dateReserved\": \"2022-05-18T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2022-11-08T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.