CVE-2022-39197
published 2022-09-22CVE-2022-39197: An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt…
PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-04-20
Exploited in the wild
EPSS
46.45%
98.7th percentile
An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| helpsystems | cobalt_strike | < 4.7.1 | 4.7.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit vector involves a malformed/malicious username field set in the Cobalt Strike Beacon configuration payload. Monitor for Beacon check-ins where the username field contains HTML/script injection characters. ↗
- →The XSS payload is rendered on the Cobalt Strike Teamserver UI. Defenders operating Teamservers should inspect incoming Beacon metadata for unexpected HTML or script tags in the username field. ↗
- →An attacker sets a malformed username in the Beacon configuration to achieve remote code execution against the Teamserver. Hunt for Beacon configs with non-standard or HTML-encoded username values. ↗
- ·Vulnerability affects Cobalt Strike through version 4.7 only; version 4.7.1 (out-of-band update) contains the fix. Scope detection efforts to Teamserver instances running 4.7 and below. ↗
- ·Exploitation requires the attacker to first inspect a Cobalt Strike payload to extract configuration information before crafting the malicious username. This implies a two-step attack chain, not a single-packet exploit. ↗
- ·The vulnerability is in the Teamserver component specifically (not the client or listener), meaning the XSS executes in the operator's Teamserver UI context, not in a web browser of an end user. ↗
- ·Vendor patch reference is the out-of-band Cobalt Strike 4.7.1 update. Refer to https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1/ for official remediation guidance. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Fortra Cobalt Strike Teamserver Cross-Site Scripting (XSS) Vulnerability
cisa·2023-03-30·CVSS 6.1
CVE-2022-39197 [MEDIUM] CWE-20 Fortra Cobalt Strike Teamserver Cross-Site Scripting (XSS) Vulnerability
Vulnerability: Fortra Cobalt Strike Teamserver Cross-Site Scripting (XSS) Vulnerability
Affected: Fortra Cobalt Strike
Fortra Cobalt Strike contains a cross-site scripting (XSS) vulnerability in Teamserver that would allow an attacker to set a malformed username in the Beacon configuration, allowing them to execute code remotely.
Required Action: Apply updates per vendor instructions.
Notes: https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1/; https://nvd.nist.gov/vuln/detail/CVE-2022-39197
Remediation Due Date: 2023-04-20
GHSA
GHSA-9jq3-pg7g-c4wc: An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4
ghsa_unreviewed·2022-09-23
CVE-2022-39197 [MEDIUM] CWE-79 GHSA-9jq3-pg7g-c4wc: An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4
An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).
VulnCheck
Fortra Cobalt Strike Teamserver Cross-Site Scripting (XSS) Vulnerability
vulncheck·2022·CVSS 6.1
CVE-2022-39197 [MEDIUM] CWE-20 Fortra Cobalt Strike Teamserver Cross-Site Scripting (XSS) Vulnerability
Fortra Cobalt Strike Teamserver Cross-Site Scripting (XSS) Vulnerability
Fortra Cobalt Strike contains a cross-site scripting (XSS) vulnerability in Teamserver that would allow an attacker to set a malformed username in the Beacon configuration, allowing them to execute code remotely.
Affected: Fortra Cobalt Strike
Required Action: Apply updates per vendor instructions.
Exploitation References: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/summary/2023/360_APT_Annual_Research_Report_2022.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/e6228f53d546; https://vulncheck.com/xdb/e27264b8a97a; https://vulncheck.com/xdb/c4a0f56cf3e1; https://vulncheck.com/xdb/2cbdcb7cc5f9; https://vulncheck.com/
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet
blogs_bleepingcomputer·2025-09-19·CVSS 10.0
CVE-2025-10035 [CRITICAL] Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet
## Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet
## Sergiu Gatlan
Fortra has released security updates to patch a maximum severity vulnerability in GoAnywhere MFT's License Servlet that can be exploited in command injection attacks.
GoAnywhere MFT is a web-based managed file transfer tool that helps organizations securely transfer files and maintain audit logs of who accesses the shared files.
Tracked as CVE-2025-10035, this security flaw is caused by a deserialization of untrusted data weakness and can be exploited remotely in low-complexity attacks that don't require user interaction.
"A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary a
Qualys
Qualys Research Team: Threat Thursdays, September 2022
blogs_qualys·2022-09-29
Qualys Research Team: Threat Thursdays, September 2022
## Table of Contents
Threat Intelligence from the Qualys Blog
New Threat Hunting Tools & Techniques
New Vulnerabilities
Noteworthy Mentions
Threat Thursdays Webinar
Welcome to the second edition of the Qualys Research Team’s “Threat Research Thursday”, where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. Feedback on our first edition, Introducing Qualys Threat Research Thursdays, is more than welcome. We would love to hear from you!
## Threat Intelligence from the Qualys Blog
Here is a roundup of the most interesting blogs from the Qualys Research Team over the past couple of weeks:
September 2022 Patch Tuesday – Debra Fezza Reed, our in-house unofficial “chief of intelligent vulnerability analyt
Qualys
Qualys Research Team: Threat Thursdays, September 2022 | Qualys
blogs_qualys·2022-09-29
Qualys Research Team: Threat Thursdays, September 2022 | Qualys
#### Table of Contents
- Threat Intelligence from the Qualys Blog
- New Threat Hunting Tools & Techniques
- New Vulnerabilities
- Noteworthy Mentions
- Threat Thursdays Webinar
Welcome to the second edition of the Qualys Research Team’s “Threat Research Thursday”, where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. Feedback on our first edition, Introducing Qualys Threat Research Thursdays, is more than welcome. We would love to hear from you!
## Threat Intelligence from the Qualys Blog
Here is a roundup of the most interesting blogs from the Qualys Research Team over the past couple of weeks:
- September 2022 Patch Tuesday – Debra Fezza Reed, our in-house unofficial “chief of intelligent vulnerabil
https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1/https://www.cobaltstrike.com/blog/tag/release/https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1/https://www.cobaltstrike.com/blog/tag/release/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-39197
2022-09-22
Published
2023-03-30
Added to CISA KEV
Exploited in the wild