id: CVE-2022-31199 info: name: Netwrix Auditor < 10.5 - Remote Code Execution author: codingsh severity: critical description: | Netwrix Auditor versions prior to 10.5 are vulnerable to insecure object deserialization through an unsecured .NET remoting service on TCP port 9004. An unauthenticated remote attacker can submit arbitrary objects to the UAVRServer endpoint to achieve remote code execution with NT AUTHORITY\SYSTEM privileges. This vulnerability has been actively exploited by threat actors including the Truebot malware campaign. reference: - https://bishopfox.com/blog/netwrix-auditor-advisory - https://nvd.nist.gov/vuln/detail/CVE-2022-31199 - https://www.cisa.gov/known-exploited-vulnerabilities-catalog - https://www.netwrix.com/netwrix_statement_on_cve202231199.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-31199 cwe-id: CWE-502 epss-score: 0.00303 epss-percentile: 0.67695 cpe: cpe:2.3:a:netwrix:auditor:*:*:*:*:*:*:*:* metadata: verified: false max-request: 1 vendor: netwrix product: auditor shodan-query: port:9004 fofa-query: port="9004" tags: cve,cve2022,netwrix,rce,deserialization,dotnet,tcp,kev tcp: - inputs: - data: | {{hex_decode('00010000010000000000000000000c020000005c53797374656d2e52756e74696d652e52656d6f74696e672e4d657373616769696e672c2056657273696f6e3d342e302e302e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623737613563353631393334653038390a')}} host: - "{{Hostname}}" port: 9004 read-size: 2048 matchers-condition: and matchers: - type: word part: body words: - "System.Runtime.Remoting" - ".NET" condition: or - type: regex part: body regex: - "(?i)(UAVRServer|Netwrix)" - "RemotingException" condition: or extractors: - type: regex part: body group: 1 regex: - '(UAVRServer|Netwrix[A-Za-z0-9\.]*)' - 'System\.Runtime\.Remoting\.([A-Za-z]+Exception)'