CVE-2022-23851 – CVE-2022-23851 is a server-side template inject... (How to Fix)

Q: What is the severity of CVE-2022-23851?

CVE-2022-23851 has a CVSS score of 9.8 (CRITICAL). CVE-2022-23851 is a server-side template injection vulnerability in Netaxis API Orchestrator (APIO) that allows attackers to execute arbitrary code on affected systems. Organizations running APIO versions before 0.19.3 are affected. This vulnerability can lead to complete system compromise.

📋 TL;DR

CVE-2022-23851 is a server-side template injection vulnerability in Netaxis API Orchestrator (APIO) that allows attackers to execute arbitrary code on affected systems. Organizations running APIO versions before 0.19.3 are affected. This vulnerability can lead to complete system compromise.

💻 Affected Systems

Products:

Netaxis API Orchestrator (APIO)

Versions: All versions before 0.19.3

Operating Systems: Linux-based systems where APIO is deployed

Default Config Vulnerable: ⚠️ Yes

Notes: Any APIO deployment with default configuration is vulnerable

📦 What is this software?

Api Orchestrator by Netaxis

View all CVEs affecting Api Orchestrator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data theft, lateral movement, ransomware deployment, and persistent backdoor installation

🟠

Likely Case

Remote code execution allowing attackers to gain shell access, exfiltrate sensitive data, and pivot to other systems

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place

🌐 Internet-Facing: HIGH - Exploitation can be performed remotely without authentication

🏢 Internal Only: HIGH - Even internal systems are vulnerable to network-accessible attacks

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available and exploitation requires minimal technical skill

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.19.3

Vendor Advisory: https://www.netaxis.be/products/apio/

Restart Required: Yes

Instructions:

1. Download APIO version 0.19.3 or later from Netaxis. 2. Backup current configuration. 3. Stop APIO service. 4. Install new version. 5. Restore configuration. 6. Start APIO service.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to APIO to only trusted IP addresses

iptables -A INPUT -p tcp --dport <APIO_PORT> -s <TRUSTED_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport <APIO_PORT> -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate APIO from critical systems
Deploy web application firewall (WAF) with SSTI protection rules

🔍 How to Verify

Check if Vulnerable:

Check APIO version via web interface or configuration files

Check Version:

Check APIO web interface or configuration files for version information

Verify Fix Applied:

Verify APIO version is 0.19.3 or later and test for SSTI payloads

📡 Detection & Monitoring

Log Indicators:

Unusual template rendering requests
Suspicious payloads in HTTP requests
Unexpected process execution

Network Indicators:

HTTP requests containing template injection payloads
Outbound connections from APIO to unknown destinations

SIEM Query:

source="apio_logs" AND ("{{.*}}" OR "${.*}" OR "<%.*%>")

📊 Metadata

CVE ID: CVE-2022-23851

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1336

EPSS Score: 0.07% exploit probability (22.2th percentile)

Published: December 17, 2025

Last Updated: January 5, 2026

🔗 References

https://blog.tig00r.me/post/CVE-2022-23851 Exploit,Third Party Advisory
https://www.netaxis.be/products/apio/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23851, you might also want to check these: