CVE-2022-31199

CVE-2022-31199 is a critical-severity vulnerability in Netwrix Auditor with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-07-11). The underlying weakness is classified as CWE-502.

Key facts

Description

Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.

CVE-2022-31199: Unauthenticated Remote Code Execution in Netwrix Auditor Video Recording Protocol

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2022-31199 is a critical remote code execution vulnerability in the Netwrix Auditor User Activity Video Recording component. An unauthenticated attacker on the network can exploit a deserialization weakness in the component's underlying protocol to execute arbitrary code with the highest privileges on both the Auditor server and any monitored systems running the agent.

Background

Netwrix Auditor is a visibility and governance platform used to monitor user activity, detect threats, and pass compliance audits across on-premises and cloud environments. The product includes a User Activity Video Recording component that captures screen sessions for later review. The network protocol that transports and processes these video recordings contains a deserialization path that does not adequately validate incoming data, creating a remotely exploitable attack surface.

Root Cause

The vulnerability is classified under CWE-502: Deserialization of Untrusted Data. The video recording component accepts serialized objects over the network without proper type checking or sandboxing. When a malicious payload is deserialized, it can trigger instantiation of arbitrary classes and chain into remote code execution. Because the protocol is exposed to the network and lacks authentication before the deserialization step, the flaw is reachable by any attacker who can route traffic to the affected service.

Impact

This vulnerability carries a CVSS 3.1 score of 9.8 (Critical) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The impact is severe across all three core security dimensions:

  • Confidentiality: High — An attacker can read sensitive files, access credentials stored in memory, and exfiltrate session recordings.
  • Integrity: High — SYSTEM-level access allows the attacker to modify binaries, install persistent implants, and tamper with audit logs.
  • Availability: High — The attacker can disable services, delete data, or deploy ransomware.

Because the affected component runs on both the central Auditor server and the agents installed on monitored endpoints, compromise can spread laterally across the monitored infrastructure.

Exploitation Walkthrough (Defensive Perspective)

From a defender's standpoint, the attack surface is straightforward: the Netwrix Auditor video recording protocol listens on the network and accepts serialized objects. An attacker positioned on the same network or able to reach the service via routing can send a crafted payload that abuses the deserialization path. Successful exploitation yields an interactive shell or equivalent execution primitive running as NT AUTHORITY\SYSTEM.

No working exploit code is provided here. The goal for defenders is to understand the exposure: any system where the Auditor server or agent is reachable from untrusted network segments should be treated as high risk. If your network architecture places the video recording endpoint on an internal flat network, an attacker who breaches a single workstation can pivot directly to full SYSTEM control on the audit server.

Affected and Patched Versions

The source data indicates the affected product is Netwrix Auditor. Specific patched version information was not available in the provided source data; organizations should consult Netwrix support and the vendor's security advisory page for the definitive fix matrix. At the time of disclosure, the vulnerability was confirmed to affect the video recording component on both the central server and monitored endpoint agents.

Remediation

  1. Apply vendor patches immediately. Contact Netwrix to obtain the patched build for the User Activity Video Recording component and deploy it to both the Auditor server and all endpoint agents.
  2. Segment the network. Place the video recording service and Auditor infrastructure on an isolated management VLAN with strict access controls. Do not expose the service to general user networks or the internet.
  3. Restrict inbound connections. Use host-based firewalls to allow only authorized administrative hosts to reach the video recording port.
  4. Compensating controls. If patching is delayed, disable the User Activity Video Recording component until the fix can be applied, and monitor the relevant service ports for unexpected connections.

Detection

  • Monitor for unusual deserialization alerts in the application or surrounding EDR telemetry.
  • Alert on process spawning from the Netwrix Auditor service context that is not part of normal operations, especially cmd.exe, powershell.exe, or wscript.exe running as SYSTEM.
  • Review network flow logs for inbound connections to the video recording service from non-administrative subnets.
  • Correlate with CISA KEV catalog entries for CVE-2022-31199 to prioritize detection engineering.

Assessment

This vulnerability is exceptionally dangerous due to its unauthenticated, network-reachable, SYSTEM-level impact. The EPSS score of 0.36152 places it in the 98.3rd percentile, indicating a high probability of active exploitation in the wild. CISA added it to the Known Exploited Vulnerabilities catalog on 2023-07-11, and it is associated with ransomware campaigns. Two key lessons emerge: first, serialization boundaries in network-facing services must always validate input with strict allow-lists; second, audit and monitoring tools themselves are high-value targets because they often run with elevated privileges across the enterprise.

References

Frequently asked questions

What is CVE-2022-31199?
Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.
How severe is CVE-2022-31199?
CVE-2022-31199 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2022-31199 being actively exploited?
Yes. CVE-2022-31199 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-07-11, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-31199?
CVE-2022-31199 affects Netwrix Auditor. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2022-31199?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-31199 have an EU (EUVD) identifier?
Yes. CVE-2022-31199 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-53293. It is also flagged as exploited in the EUVD (since 2023-07-11).
When was CVE-2022-31199 published?
CVE-2022-31199 was published on 2022-11-08 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Netwrix Auditor

All CVEs affecting Netwrix Auditor →

Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities

Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →