cbcvebase.
CVE-2022-25089
published 2022-03-03

CVE-2022-25089: Printix Secure Cloud Print Management through 1.3.1106.0 incorrectly uses Privileged APIs to modify values in HKEY_LOCAL_MACHINE via…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
18.62%
96.9th percentile
Printix Secure Cloud Print Management through 1.3.1106.0 incorrectly uses Privileged APIs to modify values in HKEY_LOCAL_MACHINE via UITasks.PersistentRegistryData.

Affected

1 ranges
VendorProductVersion rangeFixed in
kofaxprintix<= 1.3.1106.0

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip
port21338
registryHKEY_LOCAL_MACHINE
commandcommand = 49
otherprintixReflectorPackage_
  • Monitor for unauthenticated TCP connections to port 21338 on Windows hosts running Printix Client; this port is used by the exploit to send arbitrary registry-modification commands without authentication.
  • Alert on network sessions using the session name prefix 'printixReflectorPackage_' or the static name 'printixMDNs7914', which are hardcoded in the PoC exploit.
  • Detect command number 49 sent over the Printix inter-process communication channel on port 21338; this command is explicitly used to edit registry keys without authentication.
  • Monitor for unexpected writes to HKEY_LOCAL_MACHINE registry keys originating from the Printix client process (UITasks.PersistentRegistryData), especially from non-administrative user contexts.
  • ·The exploit hardcodes a target IP (192.168.1.29) for demonstration; real-world attacks will vary the target host. Detection should not rely on a specific source/destination IP.
  • ·Client-side certificate authentication is noted as deprecated/not enforced in the PoC, meaning the attack channel on port 21338 accepts unauthenticated connections.
  • ·The session name suffix is randomized (1–200) in the PoC, so exact session name matching will miss variants; use prefix-based detection for 'printixReflectorPackage_'.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.