CVE-2022-42948

CRITICAL KEV

Cobalt Strike 4.7.1 - XSS

Title source: llm

Description

Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI.

References (4)

[Technical Description, Third Party Advisory] https://thesecmaster.com/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike/

[Vendor Advisory] https://www.cobaltstrike.com/blog/

[Third Party Advisory] https://www.redpacketsecurity.com/helpsystems-cobalt-strike-code-execution-cve-2022-42948/

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-42948

Scores

CVSS v3 9.8

EPSS 0.2206

EPSS Percentile 95.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2023-03-30

VulnCheck KEV 2023-03-30

InTheWild.io 2023-03-30

ENISA EUVD EUVD-2022-46004

CWE

CWE-116

Status published

Products (1)

helpsystems/cobalt_strike 4.7.1

Published Mar 24, 2023

KEV Added Mar 30, 2023

Tracked Since Feb 18, 2026