cbcvebase.
CVE-2022-1373
published 2022-08-17

CVE-2022-1373: The “restore configuration” feature of Softing Secure Integration Server V1.22 is vulnerable to a directory traversal vulnerability when processing zip files…

PriorityP258high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
10.23%
95.1th percentile
The “restore configuration” feature of Softing Secure Integration Server V1.22 is vulnerable to a directory traversal vulnerability when processing zip files. An attacker can craft a zip file to load an arbitrary dll and execute code. Using the "restore configuration" feature to upload a zip file containing a path traversal file may cause a file to be created and executed upon touching the disk.

Affected

7 ranges
VendorProductVersion rangeFixed in
softingedgeaggregator
softingedgeconnector
softingopc
softingopc_ua_c_+_+_software_development_kit
softingsecure_integration_server
softingsecure_integration_server
softinguagates

Detection & IOCsextracted from sources · hover to see the quote

pathC:\Windows\System32\wbem\wbemcomn.dll
  • Monitor for creation of wbemcomn.dll in C:\Windows\System32\wbem\ by a non-system process, particularly the Softing Secure Integration Server process, as this indicates exploitation of the directory traversal via zip upload.
  • Detect zip file uploads to the 'restore configuration' feature of Softing SIS containing path traversal sequences (e.g., '../' or '..\') in archived file names, especially targeting DLL paths under Windows\System32.
  • Alert on DLL hijacking of wbemcomn.dll triggered at Softing Secure Integration Server restart — the planted DLL is loaded during service restart following a configuration restore operation.
  • Investigate ARP spoofing activity on networks hosting Softing SIS servers, as attackers may use it to harvest authentication signatures used in the exploit chain.
  • ·The exploit chain requires authentication (username + password or signature). Signature-based authentication was demonstrated at Pwn2Own via ARP spoofing, meaning network-level credential interception is a prerequisite attack vector.
  • ·This CVE (CVE-2022-1373) is chained with CVE-2022-2334 (DLL hijacking) to achieve full RCE; the directory traversal alone plants the DLL, but code execution requires the subsequent service restart triggering the hijack.
  • ·A custom DLL payload can be substituted for the default Metasploit-generated DLL, meaning the planted file hash will vary across attack instances and hash-based detection alone is insufficient.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.