CVE-2022-42948

Published: Mar 24, 2023Modified: Nov 3, 2025CISA KEV

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI.

Affected (1)

Products: Helpsystems: Cobalt Strike

Helpsystems

1 product

Cobalt Strike

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Helpsystems Cobalt Strike	Version 4.7.1

Related CWEs

CWE-116

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (7)

https://thesecmaster.com/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike/

Source: cve@mitre.org

Technical DescriptionThird Party Advisory

https://www.cobaltstrike.com/blog/

Source: cve@mitre.org

Vendor Advisory

https://www.redpacketsecurity.com/helpsystems-cobalt-strike-code-execution-cve-2022-42948/

Source: cve@mitre.org

Third Party Advisory

https://thesecmaster.com/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike/

Source: af854a3a-2127-422b-91ae-364da2661108

Technical DescriptionThird Party Advisory

https://www.cobaltstrike.com/blog/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.redpacketsecurity.com/helpsystems-cobalt-strike-code-execution-cve-2022-42948/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-42948

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.