CVE-2022-28944
📋 TL;DR
This vulnerability allows remote code execution in multiple EMCO Software products when users trigger software updates. Attackers can exploit the updater's lack of integrity checking to inject malicious code that runs with the application's privileges. Affected users include anyone running vulnerable versions of EMCO's network management and system administration tools.
💻 Affected Systems
- MSI Package Builder for Windows
- Remote Installer for Windows
- Ping Monitor for Windows
- Remote Shutdown for Windows
- WakeOnLan
- Network Inventory for Windows
- Network Software Scanner for Windows
- UnLock IT for Windows
📦 What is this software?
Msi Package Builder by Emcosoftware
Network Inventory by Emcosoftware
Ping Monitor by Emcosoftware
Remote Installer by Emcosoftware
Remote Shutdown by Emcosoftware
Unlock It by Emcosoftware
Wakeonlan by Emcosoftware
Wakeonlan by Emcosoftware
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install persistent malware, steal credentials, pivot to other systems, and maintain long-term access to the network.
Likely Case
Initial foothold leading to privilege escalation, lateral movement within the network, and deployment of ransomware or data exfiltration tools.
If Mitigated
Limited impact with proper network segmentation and least privilege, potentially only affecting isolated systems without critical data.
🎯 Exploit Status
Exploitation requires user interaction to trigger update, but technical complexity is low once triggered. Public advisory includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check EMCO Software website for latest versions
Vendor Advisory: http://emco.com
Restart Required: Yes
Instructions:
1. Visit EMCO Software website 2. Download latest versions of affected products 3. Install updates 4. Restart systems 5. Verify updates applied successfully
🔧 Temporary Workarounds
Disable Auto-Updates
windowsPrevent the vulnerable updater from running by disabling automatic update functionality
Check product settings for update options and disable
Network Segmentation
allBlock updater network traffic at firewall to prevent malicious update payloads
Block outbound connections from EMCO products to update servers
🧯 If You Can't Patch
- Implement strict network controls to prevent EMCO products from accessing external update servers
- Run EMCO software with minimal privileges and in isolated environments
🔍 How to Verify
Check if Vulnerable:
Check Help > About in each EMCO product to see if version matches affected listCheck Version:
Check application Help menu or Windows Programs and FeaturesVerify Fix Applied:
Verify version number is higher than affected versions listed and check update functionality works securely📡 Detection & Monitoring
Log Indicators:
- Unusual update activity from EMCO products
- Process creation from EMCO updater with suspicious parameters
- Network connections to non-EMCO domains during update process
Network Indicators:
- HTTP/HTTPS traffic from EMCO products to non-standard update servers
- Large downloads during update process with unusual file types
SIEM Query:
source="EMCO*" AND (event="update" OR process="updater*") AND dest_ip NOT IN [emco_update_servers]