CVE-2022-31199

CRITICAL KEV RANSOMWARE LAB

Netwrix Auditor < 10.5 - Unauthenticated Remote Code Execution via User Activity Video Recording Component

Title source: llm

Exploitation Summary

CVE-2022-31199 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 11, 2023, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including developerfred.

AI-analyzed exploit summary This repository contains a complete vulnerable lab environment for CVE-2022-31199, simulating the Netwrix Auditor .NET Remoting insecure deserialization vulnerability. It includes multiple deployment options, pre-built exploits, and educational materials for testing and exploitation.

Description

Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.

Exploits (1)

nomisec WORKING POC

by developerfred · remote

https://github.com/developerfred/CVE-2022-31199

View Code ZIP pw:eip

This repository contains a complete vulnerable lab environment for CVE-2022-31199, simulating the Netwrix Auditor .NET Remoting insecure deserialization vulnerability. It includes multiple deployment options, pre-built exploits, and educational materials for testing and exploitation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Netwrix Auditor < 10.5

No auth needed

Prerequisites: Docker · Docker Compose · Git · Python 3.8+ (optional) · Windows with .NET Framework 4.8 (optional) · ysoserial.net (optional)

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://bishopfox.com/blog/netwrix-auditor-advisory

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-31199

Scores

CVSS v3 9.8

EPSS 0.3640

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull mcr.microsoft.com/dotnet/framework/sdk:4.8-windowsservercore-ltsc2019

https://github.com/developerfred/CVE-2022-31199

View in Library

Details

CISA KEV 2023-07-11

VulnCheck KEV 2022-12-08

InTheWild.io 2022-12-08

ENISA EUVD EUVD-2022-53293

Ransomware Use Confirmed

CWE

CWE-502

Status published

Products (1)

netwrix/auditor < 10.5

Published Nov 08, 2022

KEV Added Jul 11, 2023

Tracked Since Feb 18, 2026