cbcvebase.
CVE-2022-1517
published 2022-06-24

CVE-2022-1517: LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level, which can allow an…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.63%
73.3th percentile
LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level, which can allow an attacker to change settings, configurations, software, or access sensitive data on the affected produc. An attacker could also exploit this vulnerability to access APIs not intended for general use and interact through the network.

Affected

8 ranges
VendorProductVersion rangeFixed in
illuminaiseq_100_instrument
illuminalocal_run_manager1.3 – 3.1
illuminaminiseq_instrument
illuminamiseq_dx
illuminamiseq_instrument
illuminanextseq_500_instrument
illuminanextseq_550_instrument
illuminanextseq_550dx

Detection & IOCsextracted from sources · hover to see the quote

filenameLocalRunManagerSecurityPatch.msi
hash52b5cfdc462b10011027e94f184c2f0da25b0b1363fddb7fa5793938d11f976259a7f73e77c2fd157f560439ec3df70446aa561b586dc8ef94db2ed95fcce841
hash595b724f1c5b4bac446001400b38b748b4ef05520b5489ea4711a2a4289e721a
hash25e523031b3bd818d4bba1017c534c735f650e23
hash4552a1130947b95ac18be4335c1447f5
  • Monitor for unauthenticated remote file upload attempts to the LRM service, particularly uploads of executable file types (e.g., .exe, .msi, .dll, .sh) which may indicate exploitation of CVE-2022-1519 (unrestricted file upload) chained with CVE-2022-1517 (execution with unnecessary privileges).
  • Detect path traversal sequences in HTTP requests targeting the LRM upload endpoint, indicative of CVE-2022-1518 exploitation to write files outside the intended directory.
  • Alert on any unauthenticated access to LRM APIs, especially from external/internet-facing sources; LRM implements no authentication or authorization by default, making all API endpoints reachable without credentials.
  • For LRM version 2.4 and lower, monitor for cleartext (non-TLS) credential transmission on the network; MITM interception of LRM traffic on these versions may expose credentials in plaintext.
  • ·The patch hashes provided (SHA-512, SHA-256, SHA-1, MD5) are for the LEGITIMATE patch file (LocalRunManagerSecurityPatch.msi) and should be used to VERIFY patch integrity, not as malicious IOCs. Do not block these hashes.
  • ·No known public exploits specifically target these vulnerabilities at time of advisory publication; detections should focus on behavioral/anomaly indicators rather than known exploit signatures.
  • ·CVE-2022-1517 (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C) is network-exploitable with no authentication required and no user interaction; treat any internet-exposed LRM instance as critically at risk.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.