CVE-2022-45766 – Global Facilities Management Software (GFMS) Ve... (How to Fix)

Q: What is the severity of CVE-2022-45766?

CVE-2022-45766 has a CVSS score of 9.1 (CRITICAL). Global Facilities Management Software (GFMS) Version 3 contains hardcoded credentials that allow remote attackers to compromise electronic key box systems. This vulnerability enables attackers to access, modify, or disrupt key management operations. Organizations using GFMS Version 3 for physical security key management are affected.

📋 TL;DR

Global Facilities Management Software (GFMS) Version 3 contains hardcoded credentials that allow remote attackers to compromise electronic key box systems. This vulnerability enables attackers to access, modify, or disrupt key management operations. Organizations using GFMS Version 3 for physical security key management are affected.

💻 Affected Systems

Products:

Global Facilities Management Software (GFMS)

Versions: Version 3

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of GFMS Version 3 are vulnerable regardless of configuration due to hardcoded credentials in the software.

📦 What is this software?

Global Facilities Management Software by Keystorage

View all CVEs affecting Global Facilities Management Software →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain complete control over electronic key boxes, potentially unlocking physical access to secured facilities, stealing keys, or disabling key management systems entirely.

🟠

Likely Case

Unauthorized access to key management systems leading to unauthorized key issuance, access log manipulation, or denial of service for legitimate users.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though hardcoded credentials remain a persistent threat.

🌐 Internet-Facing: HIGH - Remote exploitation possible if systems are exposed to internet, allowing attackers to bypass authentication entirely.

🏢 Internal Only: HIGH - Even internally, any network-accessible GFMS system can be compromised using the hardcoded credentials.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only knowledge of the hardcoded credentials, which are likely documented or easily discovered. No special tools or skills needed beyond basic network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

Contact Key Systems Management for updated software version. No official patch information is publicly available at this time.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate GFMS systems from untrusted networks and implement strict firewall rules

Credential Rotation

all

If possible, change any default or hardcoded credentials in the system configuration

🧯 If You Can't Patch

Implement strict network access controls allowing only authorized IP addresses to connect to GFMS systems
Deploy network monitoring and intrusion detection specifically for GFMS traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check if running GFMS Version 3. Attempt authentication using known default/hardcoded credentials if available.

Check Version:

Check GFMS application interface or configuration files for version information

Verify Fix Applied:

Verify software has been updated to a version beyond 3.0. Test that hardcoded credentials no longer work.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful login with default credentials
Unusual access patterns to key management functions

Network Indicators:

Unauthorized IP addresses accessing GFMS management ports
Traffic patterns indicating credential guessing

SIEM Query:

source="gfms" AND (event_type="auth_success" AND user="default" OR user="admin")

📊 Metadata

CVE ID: CVE-2022-45766

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-798

Published: February 10, 2023

Last Updated: March 24, 2025

🔗 References

https://www.girlslearncyber.com/post/the-key-to-keeping-keys-safe Third Party Advisory
https://www.girlslearncyber.com/post/the-key-to-keeping-keys-safe Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-45766, you might also want to check these: