Login Sign Up

CVE-2022-25246

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote authenticated attackers to take full control of affected systems through hard-coded UltraVNC credentials in Axeda products. All versions of Axeda agent and Axeda Desktop Server for Windows are affected. Attackers can execute arbitrary code with system privileges.

💻 Affected Systems

Products:
  • Axeda agent
  • Axeda Desktop Server for Windows
Versions: All versions
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations using the default UltraVNC configuration with hard-coded credentials.

📦 What is this software?

Axeda Agent by Ptc

View all CVEs affecting Axeda Agent →

Axeda Desktop Server by Ptc

View all CVEs affecting Axeda Desktop Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the host operating system, allowing attackers to install malware, steal data, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Remote code execution leading to data exfiltration, ransomware deployment, or system disruption in industrial environments.

🟢

If Mitigated

Limited impact if systems are isolated, have strict network segmentation, and VNC access is blocked at firewalls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authentication but uses known hard-coded credentials. Attack tools for VNC exploitation are widely available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not version-specific - requires configuration changes

Vendor Advisory: https://www.ptc.com/en/support/article/CS363561

Restart Required: Yes

Instructions:

1. Change UltraVNC password from default hard-coded credentials. 2. Restart Axeda services. 3. Ensure VNC is not exposed to untrusted networks. 4. Consider disabling VNC if not required.

🔧 Temporary Workarounds

Block VNC network access

windows

Use firewall rules to block UltraVNC port (default 5900) from untrusted networks

netsh advfirewall firewall add rule name="Block VNC" dir=in action=block protocol=TCP localport=5900

Disable UltraVNC service

windows

Stop and disable the UltraVNC service if remote access is not required

sc stop uvnc_service
sc config uvnc_service start= disabled

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate affected systems
  • Deploy host-based firewalls to restrict VNC access to authorized IPs only

🔍 How to Verify

Check if Vulnerable:

Check if UltraVNC is running with default credentials by attempting VNC connection using known hard-coded credentials

Check Version:

Not applicable - all versions affected

Verify Fix Applied:

Verify VNC connection fails with old credentials and succeeds only with new credentials

📡 Detection & Monitoring

Log Indicators:

  • Failed VNC authentication attempts
  • Successful VNC connections from unusual IPs
  • Process creation from VNC service

Network Indicators:

  • VNC traffic on port 5900 from unexpected sources
  • Multiple VNC connection attempts

SIEM Query:

source="vnc.log" AND (event="authentication failed" OR event="connection established")

📊 Metadata

CVE ID: CVE-2022-25246
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-798
Published: March 16, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25246, you might also want to check these:

CVE-2025-20188 10.0

This critical vulnerability in Cisco IOS XE Wireless LAN Controllers allows unauthenticated remote a...

Same vulnerability type (CWE-798)
CVE-2026-22769 10.0

Dell RecoverPoint for Virtual Machines versions before 6.0.3.1 HF1 contain hardcoded credentials tha...

Same vulnerability type (CWE-798)
CVE-2021-0248 10.0

This vulnerability involves hard-coded credentials in Juniper Junos OS on NFX Series devices, allowi...

Same vulnerability type (CWE-798)