CVE-2022-31199
CVE-2022-31199
Vexday Risk Score
90Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 9.8EPSS 36.2%KEV simPoC públicaNuclei —Metasploit —Patch —
Lifecycle
08 Nov 2022Published on NVD
11 Jul 2023Active exploitation (CISA KEV)
17 Nov 2025Public PoC
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
A vulnerability in Netwrix Auditor's video recording component allows unauthenticated attackers to remotely execute arbitrary code with system-level privileges on affected servers and monitored systems. This is a critical flaw because attackers can gain complete control without needing valid credentials.
Technical detail
CWE-502 (deserialization of untrusted data) enables unauthenticated remote code execution via the User Activity Video Recording protocol component. An attacker can send malicious messages to the affected component (Netwrix Auditor server or agents) without authentication to achieve arbitrary code execution with NT AUTHORITY\SYSTEM privileges. The vulnerability impacts both the monitoring infrastructure and any systems monitored by Netwrix Auditor.
Summary generated and translated by AI from the official description.
Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.