CVE-2022-25152 – CVE-2022-25152 is a critical vulnerability in t... (How to Fix)

Q: What is the severity of CVE-2022-25152?

CVE-2022-25152 has a CVSS score of 9.9 (CRITICAL). CVE-2022-25152 is a critical vulnerability in the ITarian platform that allows authenticated users to bypass mandatory approval processes and execute arbitrary code on all agents. This enables full system takeover of managed endpoints. Any organization using ITarian versions prior to 6.35.37347.20040 is affected.

📋 TL;DR

CVE-2022-25152 is a critical vulnerability in the ITarian platform that allows authenticated users to bypass mandatory approval processes and execute arbitrary code on all agents. This enables full system takeover of managed endpoints. Any organization using ITarian versions prior to 6.35.37347.20040 is affected.

💻 Affected Systems

Products:

ITarian platform (both SaaS and on-premise deployments)

Versions: All versions prior to 6.35.37347.20040

Operating Systems: All operating systems supported by ITarian agents

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the approval process feature for procedures. Both cloud and on-premise deployments are affected.

📦 What is this software?

On Premise by Itarian

View all CVEs affecting On Premise →

Saas Service Desk by Itarian

View all CVEs affecting Saas Service Desk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all managed endpoints, allowing attackers to install malware, steal data, pivot to other systems, and maintain persistent access across the entire IT infrastructure.

🟠

Likely Case

Attackers with valid credentials can execute arbitrary commands on all managed systems, leading to data exfiltration, ransomware deployment, or lateral movement within the network.

🟢

If Mitigated

With proper network segmentation and endpoint protection, impact could be limited to isolated segments, though compromised agents would still be fully controlled by attackers.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires a valid session token but is otherwise straightforward. The vulnerability is in the approval bypass mechanism.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.35.37347.20040 and later

Vendor Advisory: https://csirt.divd.nl/CVE-2022-25152

Restart Required: Yes

Instructions:

1. Upgrade ITarian platform to version 6.35.37347.20040 or later. 2. Restart the ITarian service. 3. Verify all agents are updated to compatible versions.

🔧 Temporary Workarounds

Disable procedures feature

all

Temporarily disable the procedures functionality until patching can be completed

Implement strict approval workflows

all

Require multiple approvers and implement additional validation for all procedure executions

🧯 If You Can't Patch

Implement network segmentation to isolate ITarian management traffic
Enable strict monitoring and alerting for unusual procedure executions

🔍 How to Verify

Check if Vulnerable:

Check ITarian platform version in administration console. If version is below 6.35.37347.20040, the system is vulnerable.

Check Version:

Check version in ITarian admin interface or via platform-specific version query commands

Verify Fix Applied:

Verify platform version is 6.35.37347.20040 or higher and test that approval bypass is no longer possible.

📡 Detection & Monitoring

Log Indicators:

Unauthorized procedure executions
Approval bypass attempts
Unusual procedure creation patterns

Network Indicators:

Unusual traffic from ITarian server to agents
Suspicious command execution patterns

SIEM Query:

source="itarian" AND (event_type="procedure_execution" AND approval_status="bypassed")

📊 Metadata

CVE ID: CVE-2022-25152

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-358

Published: June 9, 2022

Last Updated: November 21, 2024

🔗 References

https://csirt.divd.nl/CVE-2022-25152 Third Party Advisory
https://csirt.divd.nl/DIVD-2021-00037 Third Party Advisory
https://csirt.divd.nl/CVE-2022-25152 Third Party Advisory
https://csirt.divd.nl/DIVD-2021-00037 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25152, you might also want to check these: