CVE-2022-31199
CVE-2022-31199 is a critical-severity vulnerability in Netwrix Auditor with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-07-11). The underlying weakness is classified as CWE-502.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 36% (98th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-07-11)
- EU (EUVD) id: EUVD-2022-53293
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-07-11)
- Weakness: CWE-502
- Affected product: Netwrix Auditor
- Published:
- Last modified:
Description
Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.
CVE-2022-31199: Unauthenticated Remote Code Execution in Netwrix Auditor Video Recording Protocol
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2022-31199 is a critical remote code execution vulnerability in the Netwrix Auditor User Activity Video Recording component. An unauthenticated attacker on the network can exploit a deserialization weakness in the component's underlying protocol to execute arbitrary code with the highest privileges on both the Auditor server and any monitored systems running the agent.
Background
Netwrix Auditor is a visibility and governance platform used to monitor user activity, detect threats, and pass compliance audits across on-premises and cloud environments. The product includes a User Activity Video Recording component that captures screen sessions for later review. The network protocol that transports and processes these video recordings contains a deserialization path that does not adequately validate incoming data, creating a remotely exploitable attack surface.
Root Cause
The vulnerability is classified under CWE-502: Deserialization of Untrusted Data. The video recording component accepts serialized objects over the network without proper type checking or sandboxing. When a malicious payload is deserialized, it can trigger instantiation of arbitrary classes and chain into remote code execution. Because the protocol is exposed to the network and lacks authentication before the deserialization step, the flaw is reachable by any attacker who can route traffic to the affected service.
Impact
This vulnerability carries a CVSS 3.1 score of 9.8 (Critical) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The impact is severe across all three core security dimensions:
- Confidentiality: High — An attacker can read sensitive files, access credentials stored in memory, and exfiltrate session recordings.
- Integrity: High — SYSTEM-level access allows the attacker to modify binaries, install persistent implants, and tamper with audit logs.
- Availability: High — The attacker can disable services, delete data, or deploy ransomware.
Because the affected component runs on both the central Auditor server and the agents installed on monitored endpoints, compromise can spread laterally across the monitored infrastructure.
Exploitation Walkthrough (Defensive Perspective)
From a defender's standpoint, the attack surface is straightforward: the Netwrix Auditor video recording protocol listens on the network and accepts serialized objects. An attacker positioned on the same network or able to reach the service via routing can send a crafted payload that abuses the deserialization path. Successful exploitation yields an interactive shell or equivalent execution primitive running as NT AUTHORITY\SYSTEM.
No working exploit code is provided here. The goal for defenders is to understand the exposure: any system where the Auditor server or agent is reachable from untrusted network segments should be treated as high risk. If your network architecture places the video recording endpoint on an internal flat network, an attacker who breaches a single workstation can pivot directly to full SYSTEM control on the audit server.
Affected and Patched Versions
The source data indicates the affected product is Netwrix Auditor. Specific patched version information was not available in the provided source data; organizations should consult Netwrix support and the vendor's security advisory page for the definitive fix matrix. At the time of disclosure, the vulnerability was confirmed to affect the video recording component on both the central server and monitored endpoint agents.
Remediation
- Apply vendor patches immediately. Contact Netwrix to obtain the patched build for the User Activity Video Recording component and deploy it to both the Auditor server and all endpoint agents.
- Segment the network. Place the video recording service and Auditor infrastructure on an isolated management VLAN with strict access controls. Do not expose the service to general user networks or the internet.
- Restrict inbound connections. Use host-based firewalls to allow only authorized administrative hosts to reach the video recording port.
- Compensating controls. If patching is delayed, disable the User Activity Video Recording component until the fix can be applied, and monitor the relevant service ports for unexpected connections.
Detection
- Monitor for unusual deserialization alerts in the application or surrounding EDR telemetry.
- Alert on process spawning from the Netwrix Auditor service context that is not part of normal operations, especially
cmd.exe,powershell.exe, orwscript.exerunning asSYSTEM. - Review network flow logs for inbound connections to the video recording service from non-administrative subnets.
- Correlate with CISA KEV catalog entries for CVE-2022-31199 to prioritize detection engineering.
Assessment
This vulnerability is exceptionally dangerous due to its unauthenticated, network-reachable, SYSTEM-level impact. The EPSS score of 0.36152 places it in the 98.3rd percentile, indicating a high probability of active exploitation in the wild. CISA added it to the Known Exploited Vulnerabilities catalog on 2023-07-11, and it is associated with ransomware campaigns. Two key lessons emerge: first, serialization boundaries in network-facing services must always validate input with strict allow-lists; second, audit and monitoring tools themselves are high-value targets because they often run with elevated privileges across the enterprise.
References
Frequently asked questions
- What is CVE-2022-31199?
- Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.
- How severe is CVE-2022-31199?
- CVE-2022-31199 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-31199 being actively exploited?
- Yes. CVE-2022-31199 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-07-11, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-31199?
- CVE-2022-31199 affects Netwrix Auditor. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-31199?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-31199 have an EU (EUVD) identifier?
- Yes. CVE-2022-31199 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-53293. It is also flagged as exploited in the EUVD (since 2023-07-11).
- When was CVE-2022-31199 published?
- CVE-2022-31199 was published on 2022-11-08 and last updated on 2026-06-17.
References
- https://bishopfox.com/blog/netwrix-auditor-advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-31199
Affected products (1)
- cpe:2.3:a:netwrix:auditor:*:*:*:*:*:*:*:*
More vulnerabilities in Netwrix Auditor
- CVE-2019-14969 — High (CVSS 7.8): Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and…
All CVEs affecting Netwrix Auditor →
Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities
- CVE-2026-41104 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose…
- CVE-2026-43633 — Critical (CVSS 10.0): HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a…
- CVE-2026-33819 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
- CVE-2026-20131 — Critical (CVSS 10.0): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2026-25632 — Critical (CVSS 10.0): EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water…
- CVE-2025-14931 — Critical (CVSS 10.0): Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability.…
Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →