Login Sign Up

CVE-2022-22572

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows a non-admin user with user management permissions to escalate privileges to admin via the password reset functionality in Incapptic Connect. It affects Incapptic Connect versions before 1.40.1, potentially compromising administrative control of the system.

💻 Affected Systems

Products:
  • Incapptic Connect
Versions: Versions < 1.40.1
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Requires a user account with user management permissions; default configurations may include such users.

📦 What is this software?

Incapptic Connect by Ivanti

View all CVEs affecting Incapptic Connect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full administrative control over the Incapptic Connect system, enabling them to modify configurations, access sensitive data, deploy malicious applications, or disrupt operations.

🟠

Likely Case

A malicious insider or compromised account with user management permissions escalates to admin, leading to unauthorized access to administrative functions and potential data exposure.

🟢

If Mitigated

With proper access controls and monitoring, the impact is limited to detection of unauthorized privilege escalation attempts without successful compromise.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access with user management permissions; the vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.40.1

Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-for-incapptic-Connect-SA-2022-03-10?language=en_US

Restart Required: Yes

Instructions:

1. Download Incapptic Connect version 1.40.1 or later from the official vendor source. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the Incapptic Connect service or server as required.

🔧 Temporary Workarounds

Restrict User Management Permissions

all

Temporarily remove or limit user management permissions for non-admin users to prevent exploitation.

🧯 If You Can't Patch

  • Monitor logs for unusual password reset or privilege escalation activities.
  • Implement network segmentation to isolate Incapptic Connect from critical systems.

🔍 How to Verify

Check if Vulnerable:

Check the Incapptic Connect version in the admin interface or configuration files; if version is less than 1.40.1, it is vulnerable.

Check Version:

Check the admin dashboard or refer to vendor documentation for version query commands specific to your deployment.

Verify Fix Applied:

After patching, confirm the version is 1.40.1 or higher and test that non-admin users cannot escalate privileges via password reset.

📡 Detection & Monitoring

Log Indicators:

  • Unusual password reset requests from non-admin users
  • Admin privilege changes or access logs showing escalation

Network Indicators:

  • Anomalous authentication or user management traffic patterns

SIEM Query:

Example: 'event_type:password_reset AND user_role:non_admin AND result:success'

📊 Metadata

CVE ID: CVE-2022-22572
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: April 11, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON