HelpSystems published its news on an out-of-band Cobalt Strike update to address a critical RCE vulnerability in Cobalt Strike. The CVE-2022-42948 is a remote code vulnerability that hackers can exploit by using a tag and running it within a graphical file explorer menu. It stems from an incomplete patch for CVE-2022-39197, released on September 20th, 2022.
Since any unauthenticated remote attacker can exploit this flaw and perform hacking operations remotely on the administrative interface, it is important to know how to fix CVE-2022-42948, a Critical RCE vulnerability in Cobalt Strike. The company’s release notes explained the vulnerability and how to fix it. Let’s learn about it.
Cobalt Strike is a commercial third-party framework that IBM Security X-Force Red uses for adversary stimulation. It has covert channels and post-exploitation agents that help you emulate a long-term embedded actor in your customer’s network. It is marketed to the red teams for this purpose but is also actively stolen and used by many threat actors.
Cobalt Strike has two primary components in its framework, and both are in the same Java executable (JAR file). The components are as follows;
Team Server: A C2 server that accepts general web requests, BEACON callbacks, and client connections. It accepts client connections on TCP port 50050 by default. Linux systems only support it.
Client: It helps operators connect to the team server. It can be connected remotely or run on the same system as the Team server. It is supported by macOS, Windows, or Linux systems.
CVE-2022-42948 is a recent vulnerability detected and released by HelpSystems. According to the company, it is a remote code execution vulnerability that hackers can exploit, taking control of targeted systems.
CVSS Break Up
Platform Affected | HelpSystems Cobalt Strike 4.7.1 |
Exploitability | Not proven |
Risk Level | 9.8 |
Consequences | Gain Access |
User Interaction | None |
Privileges Required | None |
Access Vector | Network |
Scope | Unchanged |
Access Complexity | Low |
Availability Impact | High |
Integrity Impact | High |
Remediation Level | Official Fix |
Confidentiality Impact | High |
In a release note, the company said;
“Certain Java Swing components interpret the test as HTML content automatically if it starts with <html>. Hackers use an object tag and can exploit this, and load a malicious payload, which is then carried out by the Cobalt Strike client ”
-Cobolt Strike
It was found that the vulnerability can be triggered only in specific cases and that too, by using a Java Swing framework. The exposure of the flaw was accompanied by the release of Cobalt Strike version 4.7.2. The company, however, hasn’t assigned it a new CVE, as it says in a post that the vulnerability is not specific to Cobalt Strike.
The way threat actors can exploit this vulnerability is by loading a malicious payload that is hosted on a remote server. They use an HTML <object> tag and inject it within the graphical file explorer menu or the note field in the post-exploitation platform UI.
The company said that disabling the automatic HTML tags parsing across the client was enough to mitigate this behavior.
CVE-2022-42948- a critical RCE Vulnerability in Cobalt Strike affects version 4.7.1. The reason for this vulnerability was the previous release of an incomplete patch for cross-site-scripting (XSS) vulnerability on 20th September 2022.
The vulnerability was numbered CVE-2022-39197. According to the IBM (sponsored Security Intelligence team) advisory, the attackers could trigger this vulnerability in three ways: stimulating an implant check-in in Cobalt Strike, client-side UI input fields manipulation, or hooking an implant in Cobalt Strike that runs on a host.
The only way to fix CVE-2022-42948-a critical RCE Vulnerability in Cobalt Strike as prescribed by HelpSystems is to upgrade the Cobalt Strike version 4.7.1 to 4.7.2. If you’re a licensed user of the software, you can get the new version by
or downloading it from scratch from the website.
If you’re planning to get the latest version of the software, it is recommended to keep a copy of the existing Cobalt Strike before upgrading in case you need to revert to the old version.
The flaw stems from an incomplete patch for CVE-2022-39197. Fixing this vulnerability requires an upgrade to the latest version 4.7.2. We hope this post would help you know how to fix CVE-2022-42948- a critical RCE Vulnerability in Cobalt Strike. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.