External risk intelligence

SiteServer CMS Arbitrary Code Execution Via Crafted Plugin

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2022-28118

SiteServer CMS is a web-based content management system. As a public-facing web application typically deployed to host websites, the application's interface and its plug-in management features are commonly exposed to the public internet in standard deployments.

Sscms Siteserver Cms

7.0.0 to 7.1.2

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in SiteServer CMS, a content management system. This flaw could allow unauthorized individuals to execute malicious code, potentially impacting the integrity and availability of systems using this software. The primary concern is to confirm if our organization utilizes this specific technology and assess any potential exposure.

  • Code execution flaw in content management system.
  • Confirms if vulnerable software is in use.
  • Assess relevance and exposure to SiteServer CMS.

Attack Path

How an attacker could exploit the issue

An attacker can target SiteServer CMS by uploading a specially crafted plug-in through its administrative interface. This malicious plug-in, when processed by the vulnerable system, can lead to the execution of arbitrary code.

  • No authentication required.
  • Upload a malicious plug-in.
  • Execute arbitrary code.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in SiteServer CMS could allow an unauthenticated attacker to execute arbitrary code on the server, potentially impacting the confidentiality, integrity, and availability of the system. The risk arises when the system's plug-in management features are accessible.

  • System code and data.
  • Via crafted plug-in uploads.
  • Complete system compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

Given the criticality of this vulnerability, the primary focus should be on identifying and securing instances of SiteServer CMS. Owners of web applications and content management systems, potentially supported by infrastructure or platform teams, should lead the initial triage. The first practical step involves locating all deployed SiteServer CMS instances, assessing their internet reachability and business criticality, and confirming the accountable owner for each. Following this, a risk-based remediation plan, considering available maintenance windows and vendor coordination, should be developed.

  • Application owners must lead remediation.
  • Verify internet-exposed instances first.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is SiteServer CMS?

SiteServer CMS is a web-based content management system used to build, manage, and host websites. It includes features for extending functionality through plug-ins, which allow administrators to add or modify capabilities within the application environment.

How does CVE-2022-28118 allow code execution?

This vulnerability acts as an improper input validation flaw. It allows the system to process and run files provided through the plug-in management interface without verifying their origin or safety. Because the application fails to restrict these uploads, it essentially permits an attacker to inject and execute their own programs on the host server.

Do I need to be logged in for an attacker to trigger this?

No, authentication is not required to trigger this vulnerability. An attacker can attempt to upload a malicious plug-in directly. Note that simply having the software installed is not the trigger; the system must be reachable and the attacker must be able to interact with the specific administrative interface that handles plug-in uploads.

Is my SiteServer CMS instance at high risk?

According to Halo Surface Signal, this software is typically deployed as a public-facing web application. If your instance is accessible via the internet, it is at higher risk because the interface used for this attack is commonly exposed. Systems hidden behind strict network perimeters may have a reduced immediate attack surface.

What should I do if I run SiteServer CMS?

Begin by creating an inventory of all SiteServer CMS instances in your environment to determine which are active. Prioritize those reachable from the internet for immediate review. Identify the teams responsible for these applications and coordinate with them to evaluate the system configuration and prepare a plan to secure or update the software.

References