How To Fix CVE-2022-42948- A Critical RCE Vulnerability in Cobalt Strike

HelpSystems published its news on an out-of-band Cobalt Strike update to address a critical RCE vulnerability in Cobalt Strike. The CVE-2022-42948 is a remote code vulnerability that hackers can exploit by using a tag and running it within a graphical file explorer menu. It stems from an incomplete patch for CVE-2022-39197, released on September 20th, 2022. 

Since any unauthenticated remote attacker can exploit this flaw and perform hacking operations remotely on the administrative interface, it is important to know how to fix CVE-2022-42948, a Critical RCE vulnerability in Cobalt Strike. The company’s release notes explained the vulnerability and how to fix it. Let’s learn about it.

A Short Note About Cobalt Strike

Cobalt Strike is a commercial third-party framework that IBM Security X-Force Red uses for adversary stimulation. It has covert channels and post-exploitation agents that help you emulate a long-term embedded actor in your customer’s network. It is marketed to the red teams for this purpose but is also actively stolen and used by many threat actors. 

Cobalt Strike has two primary components in its framework, and both are in the same Java executable (JAR file). The components are as follows; 

Summary of CVE-2022-42948

CVE-2022-42948 is a recent vulnerability detected and released by HelpSystems. According to the company, it is a remote code execution vulnerability that hackers can exploit, taking control of targeted systems. 

CVSS Break Up

Detailed Summary

In a release note, the company said; 

“Certain Java Swing components interpret the test as HTML content automatically if it starts with <html>. Hackers use an object tag and can exploit this, and load a malicious payload, which is then carried out by the Cobalt Strike client ” 
-Cobolt Strike

It was found that the vulnerability can be triggered only in specific cases and that too, by using a Java Swing framework. The exposure of the flaw was accompanied by the release of Cobalt Strike version 4.7.2. The company, however, hasn’t assigned it a new CVE, as it says in a post that the vulnerability is not specific to Cobalt Strike. 

The way threat actors can exploit this vulnerability is by loading a malicious payload that is hosted on a remote server. They use an HTML <object> tag and inject it within the graphical file explorer menu or the note field in the post-exploitation platform UI. 

The company said that disabling the automatic HTML tags parsing across the client was enough to mitigate this behavior. 

Cobalt Strike Versions Affected by CVE-2022-42948

CVE-2022-42948- a critical RCE Vulnerability in Cobalt Strike affects version 4.7.1. The reason for this vulnerability was the previous release of an incomplete patch for cross-site-scripting (XSS) vulnerability on 20th September 2022. 

The vulnerability was numbered CVE-2022-39197. According to the IBM (sponsored Security Intelligence team) advisory, the attackers could trigger this vulnerability in three ways: stimulating an implant check-in in Cobalt Strike, client-side UI input fields manipulation, or hooking an implant in Cobalt Strike that runs on a host. 

How To Fix CVE-2022-42948- A Critical RCE Vulnerability in Cobalt Strike?

The only way to fix CVE-2022-42948-a critical RCE Vulnerability in Cobalt Strike as prescribed by HelpSystems is to upgrade the Cobalt Strike version 4.7.1 to 4.7.2. If you’re a licensed user of the software, you can get the new version by

or downloading it from scratch from the website. 

If you’re planning to get the latest version of the software, it is recommended to keep a copy of the existing Cobalt Strike before upgrading in case you need to revert to the old version. 

Wrap Up

The flaw stems from an incomplete patch for CVE-2022-39197. Fixing this vulnerability requires an upgrade to the latest version 4.7.2. We hope this post would help you know how to fix CVE-2022-42948- a critical RCE Vulnerability in Cobalt Strike. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.