CVE-2022-2334
published 2022-08-17CVE-2022-2334: The application searches for a library dll that is not found. If an attacker can place a dll with this name, then the attacker can leverage it to execute…
PriorityP353high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
9.50%
94.8th percentile
The application searches for a library dll that is not found. If an attacker can place a dll with this name, then the attacker can leverage it to execute arbitrary code on the targeted Softing Secure Integration Server V1.22.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| softing | edgeaggregator | — | — |
| softing | edgeconnector | — | — |
| softing | opc | — | — |
| softing | opc_ua_c_+_+_software_development_kit | — | — |
| softing | secure_integration_server | — | — |
| softing | secure_integration_server | — | — |
| softing | uagates | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for creation of wbemcomn.dll outside of its legitimate path, or unexpected writes to C:\Windows\System32\wbem\wbemcomn.dll, which may indicate DLL hijacking via directory traversal in a ZIP upload. ↗
- →Detect ZIP file uploads to Softing Secure Integration Server's 'restore configuration' feature containing path traversal sequences (e.g., '../' chains) in filenames, particularly targeting DLL paths under Windows\System32. ↗
- →Alert on Softing Secure Integration Server process restarts following a configuration restore operation, especially if followed by loading of a newly written wbemcomn.dll — this is the trigger for the DLL hijack payload execution. ↗
- →Investigate ARP spoofing activity on networks hosting Softing SIS servers, as attackers may use it to harvest authentication signatures to satisfy the authenticated exploit chain. ↗
- ·Exploit requires authentication (username + password or a captured network signature); unauthenticated exploitation is not directly possible without first obtaining credentials or performing ARP spoofing to capture a valid signature. ↗
- ·This is a chained exploit combining CVE-2022-1373 (directory traversal via ZIP restore) and CVE-2022-2334 (DLL hijacking); both vulnerabilities must be present and exploitable for the full RCE chain to succeed. ↗
- ·A custom DLL payload can be substituted for the default Metasploit-generated one, meaning hash-based detection of the dropped DLL alone is insufficient for full coverage. ↗
- ·Affected version is specifically Softing Secure Integration Server V1.22; verify version before applying detections to avoid false positives on patched or unaffected versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Softing Secure Integration Server
cisa_ics·2022-09-26·CVSS 7.5
[HIGH] Softing Secure Integration Server
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Softing Secure Integration Server
Last RevisedSeptember 26, 2022
Alert CodeICSA-22-228-04
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Softing
- Equipment: Secure Integration Server
- Vulnerabilities: Out-of-bounds Read, Uncontrolled Search Path Element, Improper Authentication, Relative Path Traversal, Cleartext Transmission of Sensitive Information, NULL Pointer Dereference, Integer Underflow.
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-servi
GHSA
GHSA-54hf-wxj6-qch5: The application searches for a library dll that is not found
ghsa_unreviewed·2022-08-18
CVE-2022-2334 [HIGH] CWE-427 GHSA-54hf-wxj6-qch5: The application searches for a library dll that is not found
The application searches for a library dll that is not found. If an attacker can place a dll with this name, then the attacker can leverage it to execute arbitrary code on the targeted Softing Secure Integration Server V1.22.
No detection rules found.
No writeups or analysis indexed.
2022-08-17
Published