CVE-2022-25089
published 2022-03-03CVE-2022-25089: Printix Secure Cloud Print Management through 1.3.1106.0 incorrectly uses Privileged APIs to modify values in HKEY_LOCAL_MACHINE via…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
18.62%
96.9th percentile
Printix Secure Cloud Print Management through 1.3.1106.0 incorrectly uses Privileged APIs to modify values in HKEY_LOCAL_MACHINE via UITasks.PersistentRegistryData.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kofax | printix | <= 1.3.1106.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated TCP connections to port 21338 on Windows hosts running Printix Client; this port is used by the exploit to send arbitrary registry-modification commands without authentication. ↗
- →Alert on network sessions using the session name prefix 'printixReflectorPackage_' or the static name 'printixMDNs7914', which are hardcoded in the PoC exploit. ↗
- →Detect command number 49 sent over the Printix inter-process communication channel on port 21338; this command is explicitly used to edit registry keys without authentication. ↗
- →Monitor for unexpected writes to HKEY_LOCAL_MACHINE registry keys originating from the Printix client process (UITasks.PersistentRegistryData), especially from non-administrative user contexts. ↗
- ·The exploit hardcodes a target IP (192.168.1.29) for demonstration; real-world attacks will vary the target host. Detection should not rely on a specific source/destination IP. ↗
- ·Client-side certificate authentication is noted as deprecated/not enforced in the PoC, meaning the attack channel on port 21338 accepts unauthenticated connections. ↗
- ·The session name suffix is randomized (1–200) in the PoC, so exact session name matching will miss variants; use prefix-based detection for 'printixReflectorPackage_'. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/167013/Printix-1.3.1106.0-Privileged-API-Abuse.htmlhttp://printix.comhttps://github.com/ComparedArray/printix-CVE-2022-25089https://www.exploit-db.com/exploits/50798http://packetstormsecurity.com/files/167013/Printix-1.3.1106.0-Privileged-API-Abuse.htmlhttp://printix.comhttps://github.com/ComparedArray/printix-CVE-2022-25089https://www.exploit-db.com/exploits/50798
2022-03-03
Published