Threats / Netwrix / CVE-2022-31199
CVE-2022-31199
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Netwrix Auditor vulnerability
Netwrix Auditor contains an insecure deserialization vulnerability in the User Activity Video Recording component that allows unauthenticated remote code execution as SYSTEM on port 9004/TCP.
Verdict
Today item, not a backlog item.
An unauthenticated attacker with network access to port 9004/TCP can exploit insecure object deserialization to achieve arbitrary code execution with SYSTEM privileges. This vulnerability has been exploited in ransomware campaigns.
CISA KEV Yes · 2023-07-113Ransomware use Flagged3EPSS 0.364 (verify live)4Exploit Weaponized · public PoC5
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Fully weaponized — public exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
7 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2023-07-11), flagged for known ransomware use.
Probability (EPSS)
EPSS 0.364 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Netwrix, Auditor. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-502 Deserialization of Untrusted Data, CWE-122 Heap-based Buffer Overflow — weakness family: Injection, Memory safety.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
WeaknessCWE-502 · Deserialization of Untrusted DataCWE-122 · Heap-based Buffer OverflowInjection, Memory safety
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I craft a malicious serialized object and send it to the exposed port 9004/TCP endpoint.
Business
The organization's Auditor deployment becomes an initial compromise vector for ransomware deployment.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
My payload deserializes without validation, executing arbitrary code in the context of NT AUTHORITY\SYSTEM.
Business
Attackers gain complete system-level control over the Auditor server and potentially the monitored infrastructure.
3
Lateral reach — past segmentation narrative 3
Attacker
I establish persistence and move laterally through the network using SYSTEM-level privileges.
Business
Ransomware operators encrypt critical data and audit logs, disrupting operations and eliminating forensic evidence.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05