cbcvebase.
CVE-2022-2334
published 2022-08-17

CVE-2022-2334: The application searches for a library dll that is not found. If an attacker can place a dll with this name, then the attacker can leverage it to execute…

PriorityP353high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
9.50%
94.8th percentile
The application searches for a library dll that is not found. If an attacker can place a dll with this name, then the attacker can leverage it to execute arbitrary code on the targeted Softing Secure Integration Server V1.22.

Affected

7 ranges
VendorProductVersion rangeFixed in
softingedgeaggregator
softingedgeconnector
softingopc
softingopc_ua_c_+_+_software_development_kit
softingsecure_integration_server
softingsecure_integration_server
softinguagates

Detection & IOCsextracted from sources · hover to see the quote

pathC:\Windows\System32\wbem\wbemcomn.dll
filenamewbemcomn.dll
path..\..\..\..\..\..\..\..\..\..\..\Windows\System32\wbem\wbemcomn.dll
  • Monitor for creation of wbemcomn.dll outside of its legitimate path, or unexpected writes to C:\Windows\System32\wbem\wbemcomn.dll, which may indicate DLL hijacking via directory traversal in a ZIP upload.
  • Detect ZIP file uploads to Softing Secure Integration Server's 'restore configuration' feature containing path traversal sequences (e.g., '../' chains) in filenames, particularly targeting DLL paths under Windows\System32.
  • Alert on Softing Secure Integration Server process restarts following a configuration restore operation, especially if followed by loading of a newly written wbemcomn.dll — this is the trigger for the DLL hijack payload execution.
  • Investigate ARP spoofing activity on networks hosting Softing SIS servers, as attackers may use it to harvest authentication signatures to satisfy the authenticated exploit chain.
  • ·Exploit requires authentication (username + password or a captured network signature); unauthenticated exploitation is not directly possible without first obtaining credentials or performing ARP spoofing to capture a valid signature.
  • ·This is a chained exploit combining CVE-2022-1373 (directory traversal via ZIP restore) and CVE-2022-2334 (DLL hijacking); both vulnerabilities must be present and exploitable for the full RCE chain to succeed.
  • ·A custom DLL payload can be substituted for the default Metasploit-generated one, meaning hash-based detection of the dropped DLL alone is insufficient for full coverage.
  • ·Affected version is specifically Softing Secure Integration Server V1.22; verify version before applying detections to avoid false positives on patched or unaffected versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.