cbcvebase.
CVE-2022-39197
published 2022-09-22

CVE-2022-39197: An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt…

PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-04-20
Exploited in the wild
EPSS
46.45%
98.7th percentile
An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).

Affected

1 ranges
VendorProductVersion rangeFixed in
helpsystemscobalt_strike< 4.7.14.7.1

Detection & IOCsextracted from sources · hover to see the quote

  • The exploit vector involves a malformed/malicious username field set in the Cobalt Strike Beacon configuration payload. Monitor for Beacon check-ins where the username field contains HTML/script injection characters.
  • The XSS payload is rendered on the Cobalt Strike Teamserver UI. Defenders operating Teamservers should inspect incoming Beacon metadata for unexpected HTML or script tags in the username field.
  • An attacker sets a malformed username in the Beacon configuration to achieve remote code execution against the Teamserver. Hunt for Beacon configs with non-standard or HTML-encoded username values.
  • ·Vulnerability affects Cobalt Strike through version 4.7 only; version 4.7.1 (out-of-band update) contains the fix. Scope detection efforts to Teamserver instances running 4.7 and below.
  • ·Exploitation requires the attacker to first inspect a Cobalt Strike payload to extract configuration information before crafting the malicious username. This implies a two-step attack chain, not a single-packet exploit.
  • ·The vulnerability is in the Teamserver component specifically (not the client or listener), meaning the XSS executes in the operator's Teamserver UI context, not in a web browser of an end user.
  • ·Vendor patch reference is the out-of-band Cobalt Strike 4.7.1 update. Refer to https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1/ for official remediation guidance.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.