CVE-2022-2414

HIGH EXPLOITED NUCLEI

Dogtag PKI - XML External Entity File Disclosure via Crafted HTTP Request

Title source: manual

Exploitation Summary

CVE-2022-2414 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including amitlttwo, geniuszly, superhac. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional proof-of-concept exploit for CVE-2022-2414, an XXE vulnerability in pki-core. It sends a crafted XML payload to retrieve the contents of /etc/passwd and generates a professional report if successful.

Description

Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.

Exploits (5)

nomisec WORKING POC 10 stars

by amitlttwo · infoleak

https://github.com/amitlttwo/CVE-2022-2414-Proof-Of-Concept

View Code ZIP pw:eip

This is a functional proof-of-concept exploit for CVE-2022-2414, an XXE vulnerability in pki-core. It sends a crafted XML payload to retrieve the contents of /etc/passwd and generates a professional report if successful.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: pki-core (version not specified)

No auth needed

Prerequisites: Network access to the vulnerable pki-core endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1552.005 - Cloud Instance Metadata API

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by geniuszly · infoleak

https://github.com/geniuszly/CVE-2022-2414

View Code ZIP pw:eip

This is a functional PoC for CVE-2022-2414, demonstrating an XXE vulnerability in the target software. It sends a crafted XML payload to read sensitive files (e.g., /etc/passwd) from the server.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Sectigo Certificate Manager (SCM) versions prior to 2022-02-15

No auth needed

Prerequisites: Network access to the target server · Target server running vulnerable Sectigo Certificate Manager

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1552.005 - Cloud Instance Metadata API

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by superhac · poc

https://github.com/superhac/CVE-2022-2414-POC

View Code ZIP pw:eip

This PoC demonstrates an XXE (XML External Entity) vulnerability in FreeIPA's certificate enrollment endpoint, allowing arbitrary file read via a crafted XML payload. The exploit sends a malicious XML request to the target endpoint to retrieve the contents of /etc/passwd.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: FreeIPA (version not specified)

No auth needed

Prerequisites: Network access to the FreeIPA server · The /ca/rest/certrequests endpoint must be exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by satyasai1460 · infoleak

https://github.com/satyasai1460/CVE-2022-2414

View Code ZIP pw:eip

This PoC exploits an XXE (XML External Entity) vulnerability in the target software to read arbitrary files from the server. The payload is crafted to read /etc/passwd, demonstrating the vulnerability.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Unknown (likely a certificate enrollment service)

No auth needed

Prerequisites: Network access to the target service · The target service must be vulnerable to XXE

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 16, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/geniuszlyy/cve-2022-2414

View Code ZIP pw:eip

This repository contains a functional Python script that exploits an XXE vulnerability (CVE-2022-2414) to read sensitive files from a target server. The script sends a crafted XML payload to a specified endpoint and retrieves the response.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Unknown (likely a web application with XML processing)

No auth needed

Prerequisites: Python 3 · requests library · target URL with vulnerable XML endpoint

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

FreeIPA - XML Entity Injection

HIGHVERIFIEDby DhiyaneshDk

Shodan: title:"Identity Management" html:"FreeIPA" || http.title:"identity management" html:"freeipa"

FOFA: title="Identity Management" || title="identity management" || title="identity management" html:"freeipa"

References (1)

Core 1

Core References

Issue Tracking, Patch, Third Party Advisory x_refsource_misc

https://github.com/dogtagpki/pki/pull/4021

Scores

CVSS v3 7.5

EPSS 0.9069

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2023-11-15

CWE

CWE-611

Status published

Products (7)

dogtagpki/dogtagpki 10.5.18

dogtagpki/dogtagpki 10.7.4

dogtagpki/dogtagpki 10.8.3

dogtagpki/dogtagpki 10.11.2

dogtagpki/dogtagpki 10.12.4

dogtagpki/dogtagpki 11.0.5

dogtagpki/dogtagpki 11.1.0

Published Jul 29, 2022

Tracked Since Feb 18, 2026