CVE-2022-42948 (GCVE-0-2022-42948)

Vulnerability from cvelistv5 – Published: 2023-03-24 00:00 – Updated: 2025-10-21 23:15
VLAI? CISA KEV
Summary
Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI.
Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • n/a
Assigner
References
CISA KEV
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: 6c51b343-6c7d-4b70-babe-8606c243d2c3

Vulnerability ID: CVE-2022-42948

Status: Confirmed

Status Updated: 2023-03-30 00:00 UTC

Exploited: Yes

Timestamps
First Seen: 2023-03-30
Asserted: 2023-03-30
Scope
Notes: KEV entry: Fortra Cobalt Strike User Interface Remote Code Execution Vulnerability | Affected: Fortra / Cobalt Strike | Description: Fortra Cobalt Strike User Interface contains an unspecified vulnerability rooted in Java Swing that may allow remote code execution. | Required action: Apply updates per vendor instructions. | Due date: 2023-04-20 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-2/; https://nvd.nist.gov/vuln/detail/CVE-2022-42948
Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details
Cwes CWE-79 CWE-116
Feed CISA Known Exploited Vulnerabilities Catalog
Product Cobalt Strike
Due Date 2023-04-20
Date Added 2023-03-30
Vendorproject Fortra
Vulnerabilityname Fortra Cobalt Strike User Interface Remote Code Execution Vulnerability
Knownransomwarecampaignuse Unknown
References
Created: 2026-02-02 12:27 UTC | Updated: 2026-02-06 07:17 UTC
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T13:19:05.527Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cobaltstrike.com/blog/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.redpacketsecurity.com/helpsystems-cobalt-strike-code-execution-cve-2022-42948/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://thesecmaster.com/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-42948",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-28T21:13:12.898964Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2023-03-30",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-42948"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-116",
                "description": "CWE-116 Improper Encoding or Escaping of Output",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:15:21.818Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-42948"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2023-03-30T00:00:00+00:00",
            "value": "CVE-2022-42948 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-24T00:00:00.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.cobaltstrike.com/blog/"
        },
        {
          "url": "https://www.redpacketsecurity.com/helpsystems-cobalt-strike-code-execution-cve-2022-42948/"
        },
        {
          "url": "https://thesecmaster.com/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-42948",
    "datePublished": "2023-03-24T00:00:00.000Z",
    "dateReserved": "2022-10-14T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:15:21.818Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2022-42948",
      "cwes": "[\"CWE-79\", \"CWE-116\"]",
      "dateAdded": "2023-03-30",
      "dueDate": "2023-04-20",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-2/;  https://nvd.nist.gov/vuln/detail/CVE-2022-42948",
      "product": "Cobalt Strike",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Fortra Cobalt Strike User Interface contains an unspecified vulnerability rooted in Java Swing that may allow remote code execution.",
      "vendorProject": "Fortra",
      "vulnerabilityName": "Fortra Cobalt Strike User Interface Remote Code Execution Vulnerability"
    },
    "fkie_nvd": {
      "cisaActionDue": "2023-04-20",
      "cisaExploitAdd": "2023-03-30",
      "cisaRequiredAction": "Apply updates per vendor instructions.",
      "cisaVulnerabilityName": "Fortra Cobalt Strike User Interface Remote Code Execution Vulnerability",
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:helpsystems:cobalt_strike:4.7.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5F082C0F-93EC-4401-9A61-EA1C6599FC08\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI.\"}]",
      "id": "CVE-2022-42948",
      "lastModified": "2024-11-21T07:25:39.463",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2023-03-24T14:15:09.927",
      "references": "[{\"url\": \"https://thesecmaster.com/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Technical Description\", \"Third Party Advisory\"]}, {\"url\": \"https://www.cobaltstrike.com/blog/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.redpacketsecurity.com/helpsystems-cobalt-strike-code-execution-cve-2022-42948/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://thesecmaster.com/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Technical Description\", \"Third Party Advisory\"]}, {\"url\": \"https://www.cobaltstrike.com/blog/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.redpacketsecurity.com/helpsystems-cobalt-strike-code-execution-cve-2022-42948/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-116\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-42948\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2023-03-24T14:15:09.927\",\"lastModified\":\"2025-11-03T16:20:40.377\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"cisaExploitAdd\":\"2023-03-30\",\"cisaActionDue\":\"2023-04-20\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Fortra Cobalt Strike User Interface Remote Code Execution Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-116\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-116\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:helpsystems:cobalt_strike:4.7.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F082C0F-93EC-4401-9A61-EA1C6599FC08\"}]}]}],\"references\":[{\"url\":\"https://thesecmaster.com/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://www.cobaltstrike.com/blog/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.redpacketsecurity.com/helpsystems-cobalt-strike-code-execution-cve-2022-42948/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://thesecmaster.com/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://www.cobaltstrike.com/blog/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.redpacketsecurity.com/helpsystems-cobalt-strike-code-execution-cve-2022-42948/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-42948\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.cobaltstrike.com/blog/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.redpacketsecurity.com/helpsystems-cobalt-strike-code-execution-cve-2022-42948/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://thesecmaster.com/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T13:19:05.527Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-42948\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-28T21:13:12.898964Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2023-03-30\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-42948\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2023-03-30T00:00:00+00:00\", \"value\": \"CVE-2022-42948 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-42948\", \"tags\": [\"government-resource\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-116\", \"description\": \"CWE-116 Improper Encoding or Escaping of Output\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-28T21:12:50.663Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://www.cobaltstrike.com/blog/\"}, {\"url\": \"https://www.redpacketsecurity.com/helpsystems-cobalt-strike-code-execution-cve-2022-42948/\"}, {\"url\": \"https://thesecmaster.com/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2023-03-24T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-42948\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:15:21.818Z\", \"dateReserved\": \"2022-10-14T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2023-03-24T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.