CVE-2022-42948

critical

Description

Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI.

References

Advisories
More

https://www.redpacketsecurity.com/helpsystems-cobalt-strike-code-execution-cve-2022-42948/

https://thesecmaster.com/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike/

https://www.cobaltstrike.com/blog/

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-42948

Details

Source: Mitre, NVD

Published: 2023-03-24

Updated: 2026-06-17

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H