CVE-2022-0074
published 2022-10-27CVE-2022-0074: Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server Container allows Privilege Escalation. This…
PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
1.15%
63.0th percentile
Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server Container allows Privilege Escalation. This affects versions from 1.6.15 before 1.7.16.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| litespeed_technologies | litespeed_web_server | >= 1.6.15 < 1.7.16.1 | 1.7.16.1 |
| litespeed_technologies | openlitespeed_web_server | >= 1.6.15 < 1.7.16.1 | 1.7.16.1 |
| litespeedtech | openlitespeed | >= 1.6.15 < 1.7.16.1 | 1.7.16.1 |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
93190
snort↗
93191
- →Monitor for unexpected files placed in /usr/local/bin by the 'nobody' user, particularly files masquerading as legitimate binaries such as 'grep'. This is the core exploitation primitive for CVE-2022-0074. ↗
- →Alert on file write events to /usr/local/bin performed by the 'nobody' process account within OpenLiteSpeed/LiteSpeed Docker containers, as this directory is writable by nobody by default in the vulnerable container image. ↗
- →Detect privilege escalation from 'nobody' to 'root' in OpenLiteSpeed containers by monitoring process lineage where a root-owned script (entrypoint.sh) spawns a child process whose binary resolves from /usr/local/bin rather than a system path. ↗
- ·The privilege escalation is only exploitable in environments where /usr/local/bin is writable by the 'nobody' user. This is a non-default misconfiguration on standard Linux systems but is present by default in the vulnerable OpenLiteSpeed Docker container image (ols-dockerfiles repository). ↗
- ·Affected version range: OpenLiteSpeed 1.5.11 up to 1.7.16 and LiteSpeed Enterprise 5.4.6 up to 6.0.11. Patched versions are OpenLiteSpeed v1.7.16.1 and LiteSpeed v6.0.12. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p85c-c374-mg9g: Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Container allows Privilege Escalation
ghsa_unreviewed·2022-10-28
CVE-2022-0074 [HIGH] CWE-426 GHSA-p85c-c374-mg9g: Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Container allows Privilege Escalation
Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Container allows Privilege Escalation. This affects versions from 1.6.15 before 1.7.16.1.
VulnCheck
LiteSpeed Technologies openlitespeed Untrusted Search Path
vulncheck·2022·CVSS 8.8
CVE-2022-0074 [HIGH] LiteSpeed Technologies openlitespeed Untrusted Search Path
LiteSpeed Technologies openlitespeed Untrusted Search Path
Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server Container allows Privilege Escalation. This affects versions from 1.6.15 before 1.7.16.1.
Affected: LiteSpeed Technologies openlitespeed
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.sentinelone.com/blog/dragon-raas-pro-russian-hacktivist-group-aims-to-build-on-the-five-families-cybercrime-reputation/
CISA
Microsoft Silverlight Double Dereference Vulnerability
cisa·2022-05-25·CVSS 7.8
CVE-2013-0074 [HIGH] Microsoft Silverlight Double Dereference Vulnerability
Vulnerability: Microsoft Silverlight Double Dereference Vulnerability
Affected: Microsoft Silverlight
Microsoft Silverlight does not properly validate pointers during HTML object rendering, which allows remote attackers to execute code via a crafted Silverlight application.
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-0074
Remediation Due Date: 2022-06-15
No detection rules found.
No public exploits indexed.
Sentinelone
Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on "The Five Families" Cybercrime Reputation
blogs_sentinelone·2025-03-19
Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on "The Five Families" Cybercrime Reputation
Dragon RaaS is a ransomware group that walks the line between hacktivism and cybercrime. Also known as DragonRansom or Dragon Team, it emerged in July 2024 as an offshoot of the Stormous group, itself part of a larger cybercrime syndicate known as “The Five Families,” which includes ThreatSec, GhostSec , Blackforums, and SiegedSec .
While Dragon RaaS markets itself as a sophisticated Ransomware-as-a-Service (RaaS) operation, its attacks are often defacements and opportunistic rather than large-scale ransomware extortion. Even so, it continues to find victims—typically smaller organizations with weak security postures that are often compromised through misconfigurations, brute-force attacks and stolen credentials. The group primarily targets organizations in the United States, Israel, Unit
Sentinelone
Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on "The Five Families" Cybercrime Reputation
blogs_sentinelone·2025-03-19
Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on "The Five Families" Cybercrime Reputation
Dragon RaaS is a ransomware group that walks the line between hacktivism and cybercrime. Also known as DragonRansom or Dragon Team, it emerged in July 2024 as an offshoot of the Stormous group, itself part of a larger cybercrime syndicate known as “The Five Families,” which includes ThreatSec, GhostSec, Blackforums, and SiegedSec.
While Dragon RaaS markets itself as a sophisticated Ransomware-as-a-Service (RaaS) operation, its attacks are often defacements and opportunistic rather than large-scale ransomware extortion. Even so, it continues to find victims—typically smaller organizations with weak security postures that are often compromised through misconfigurations, brute-force attacks and stolen credentials. The group primarily targets organizations in the United States, Israel, United
Unit42
Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server
blogs_unit42·2022-11-10·CVSS 5.8
CVE-2022-0072 [MEDIUM] Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server
Threat Research Center
Threat Research
Vulnerabilities
## Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server
Artur Avetisyan
Published: November 10, 2022
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Containers
CVE-2022-0072
CVE-2022-0073
CVE-2022-0074
Exploit
Openlitespeed
Privilege escalation
Remote Code Execution
Web server
## Executive Summary
The Unit 42 research team has researched and discovered three different vulnerabilities in the open source OpenLiteSpeed Web Server . These vulnerabilities also affect the enterprise version, LiteSpeed Web Server . By chaining and exploiting the vulnerabilities, adversaries could compromise the web server and gain fully privileged remote code execution. The vulnerabilities discovered include:
Re
Unit42
Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server
blogs_unit42·2022-11-10·CVSS 5.8
CVE-2022-0073 [MEDIUM] Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server
## Executive Summary
The Unit 42 research team has researched and discovered three different vulnerabilities in the open source OpenLiteSpeed Web Server. These vulnerabilities also affect the enterprise version, LiteSpeed Web Server. By chaining and exploiting the vulnerabilities, adversaries could compromise the web server and gain fully privileged remote code execution. The vulnerabilities discovered include:
1. Remote Code Execution (CVE-2022-0073) rated High severity (CVSS 8.8)
2. Privilege Escalation (CVE-2022-0074) rated High severity (CVSS 8.8)
3. Directory Traversal (CVE-2022-0072) rated Medium severity (CVSS 5.8)
OpenLiteSpeed is the Open Source edition of LiteSpeed Web Server Enterprise, which is developed and maintained by LiteSpeed Technologies. LiteSpeed Web Server is ranke
2022-10-27
Published
Exploited in the wild