CVE-2022-26111 – CVE-2022-26111 allows remote code execution in ... (How to Fix)

Q: What is the severity of CVE-2022-26111?

CVE-2022-26111 has a CVSS score of 8.8 (HIGH). CVE-2022-26111 allows remote code execution in IRISNext document management systems through BeanShell expressions in custom searches. Attackers can execute arbitrary commands on the server with the privileges of the IRISNext application user. Organizations using IRISNext through version 9.8.28 are affected.

📋 TL;DR

CVE-2022-26111 allows remote code execution in IRISNext document management systems through BeanShell expressions in custom searches. Attackers can execute arbitrary commands on the server with the privileges of the IRISNext application user. Organizations using IRISNext through version 9.8.28 are affected.

💻 Affected Systems

Products:

IRISNext

Versions: through 9.8.28

Operating Systems: All platforms running IRISNext

Default Config Vulnerable: ⚠️ Yes

Notes: Requires ability to create or edit searches, which may be available to authenticated users with appropriate permissions

📦 What is this software?

Irisnext by Canon

View all CVEs affecting Irisnext →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data exfiltration, ransomware deployment, or complete system takeover

🟠

Likely Case

Unauthorized access to sensitive documents, installation of backdoors, or lateral movement within the network

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented

🌐 Internet-Facing: HIGH - Web application directly exposed to internet with RCE capability

🏢 Internal Only: HIGH - Even internal systems can be exploited by authenticated users or attackers who gain initial access

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to create/edit searches. Public proof-of-concept demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.8.29 or later

Vendor Advisory: https://varsnext.iriscorporate.com/

Restart Required: Yes

Instructions:

1. Backup IRISNext installation and data. 2. Download and install IRISNext version 9.8.29 or later from official vendor. 3. Restart the IRISNext service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable BeanShell search expressions

all

Temporarily disable the ability to use BeanShell expressions in search functionality

Modify IRISNext configuration to remove BeanShell expression support from search components

Restrict search creation permissions

all

Limit which users can create or edit searches to only trusted administrators

Review and modify user permissions in IRISNext administration panel

🧯 If You Can't Patch

Implement strict network segmentation to isolate IRISNext servers from critical systems
Enable detailed logging and monitoring for search creation/modification activities

🔍 How to Verify

Check if Vulnerable:

Check IRISNext version in administration panel or configuration files. If version is 9.8.28 or earlier, system is vulnerable.

Check Version:

Check IRISNext web interface administration panel or consult application configuration files

Verify Fix Applied:

Verify installation of version 9.8.29 or later and test that BeanShell expressions in searches no longer execute arbitrary commands

📡 Detection & Monitoring

Log Indicators:

Unusual search creation/modification events
BeanShell expression execution in search logs
Unexpected system command execution

Network Indicators:

Outbound connections from IRISNext server to unexpected destinations
Unusual traffic patterns from IRISNext application

SIEM Query:

source="irisnext" AND (event="search_created" OR event="search_modified") AND expression="*BeanShell*"

📊 Metadata

CVE ID: CVE-2022-26111

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-917

Published: April 25, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-26111.pdf Exploit,Third Party Advisory
https://varsnext.iriscorporate.com/ Product,Vendor Advisory
https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-26111.pdf Exploit,Third Party Advisory
https://varsnext.iriscorporate.com/ Product,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26111, you might also want to check these: