cbcvebase.
CVE-2022-1519
published 2022-06-24

CVE-2022-1519: LRM does not restrict the types of files that can be uploaded to the affected product. A malicious actor can upload any file type, including executable code…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.26%
65.9th percentile
LRM does not restrict the types of files that can be uploaded to the affected product. A malicious actor can upload any file type, including executable code that allows for a remote code exploit.

Affected

8 ranges
VendorProductVersion rangeFixed in
illuminaiseq_100_instrument
illuminalocal_run_manager1.3 – 3.1
illuminaminiseq_instrument
illuminamiseq_dx
illuminamiseq_instrument
illuminanextseq_500_instrument
illuminanextseq_550_instrument
illuminanextseq_550dx

Detection & IOCsextracted from sources · hover to see the quote

filenameLocalRunManagerSecurityPatch.msi
hash52b5cfdc462b10011027e94f184c2f0da25b0b1363fddb7fa5793938d11f976259a7f73e77c2fd157f560439ec3df70446aa561b586dc8ef94db2ed95fcce841
hash595b724f1c5b4bac446001400b38b748b4ef05520b5489ea4711a2a4289e721a
hash25e523031b3bd818d4bba1017c534c735f650e23
hash4552a1130947b95ac18be4335c1447f5
  • CVE-2022-1519 is an unrestricted file upload vulnerability in Illumina LRM. Monitor for unauthenticated HTTP file upload requests to the LRM web interface that include executable file types (e.g., .exe, .msi, .dll, .sh, .ps1). Any non-data file upload to LRM should be treated as suspicious.
  • CVE-2022-1519 is chained with CVE-2022-1517 (execution with elevated/unnecessary privileges) and CVE-2022-1518 (path traversal). Detections should also look for directory traversal sequences (e.g., '../') in upload paths to LRM endpoints, as uploaded executables may be placed outside the intended directory.
  • LRM does not implement authentication or authorization by default, meaning exploit attempts against CVE-2022-1519 require no credentials. Alert on any unauthenticated file upload activity to LRM endpoints.
  • ·The patch hashes provided (SHA-512, SHA-256, SHA-1, MD5) are for the LEGITIMATE Illumina security patch file (LocalRunManagerSecurityPatch.msi), not for malware. Use these hashes to verify patch integrity, not as malicious IOCs.
  • ·No known public exploits specifically targeting CVE-2022-1519 were identified at the time of advisory publication, limiting the availability of concrete attacker-specific IOCs.
  • ·LRM version 2.4 and lower transmits data (including credentials) in cleartext without TLS, meaning network-based detections on encrypted traffic will not apply to these older versions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.