CVE-2022-31199

What is Netwrix Auditor?

Netwrix Auditor is a widely deployed IT security auditing and compliance platform used by enterprise IT and security teams to monitor user activity, audit access to sensitive data, track configuration changes, and generate compliance reports across Active Directory, file servers, Exchange, SQL Server, and other systems. It is a security-critical product: it records all privileged user activity and has access to a comprehensive audit trail of the organization's IT environment. As a highly trusted system with deep access to sensitive audit data and privileged credentials, Netwrix Auditor is a high-value target for attackers seeking to harvest credentials, cover tracks, or establish persistence.

Overview

CVE-2022-31199 is a critical insecure object deserialization vulnerability (CWE-502, CVSS 9.8) in the Netwrix Auditor User Activity Video Recording component. The component listens on TCP port 9004 and accepts serialized .NET objects without authentication. An unauthenticated remote attacker who can reach port 9004 can send a malicious serialized object that, when deserialized, executes arbitrary code with NT AUTHORITY\SYSTEM privileges on the Netwrix Auditor server. Bishop Fox published the vulnerability research in June 2022. Active exploitation by ransomware operators was confirmed by CISA in July 2023, more than a year after public disclosure. ransomwareUse: true.

Affected Versions

Netwrix requires login to their customer portal to access the patch. CISA notes that if updates are unavailable, the product should be discontinued.

Technical Details

The vulnerability (CWE-502: Deserialization of Untrusted Data) exists in the Netwrix Auditor User Activity Video Recording service, which listens on TCP port 9004. This service uses .NET's BinaryFormatter or a similar serialization mechanism to process incoming data from client connections, but does not require any authentication before deserializing the received objects.

.NET deserialization gadget chains allow an attacker to construct a serialized payload using known exploitable class combinations from .NET's base class library (such as gadgets from ysoserial.net). When the Netwrix service deserializes the attacker's payload, the gadget chain executes arbitrary OS commands as the service account — which runs as NT AUTHORITY\SYSTEM by default.

The service is meant for internal communication between Netwrix components, but in many enterprise environments, TCP port 9004 is reachable across subnets (Netwrix must communicate between servers in distributed deployments), making it accessible beyond the local host. Standard enterprise firewalling may not block this port if the Netwrix server is accessible from the corporate network.

Discovery

Discovered by Bishop Fox security researchers, who published detailed technical analysis of the vulnerability on June 14, 2022, including proof-of-concept exploitation details. Netwrix published an advisory (ADV-2022-003) requiring customer portal authentication to view, a practice that delayed broad awareness and contributed to the long exploitation window.

Exploitation Context

Netwrix Auditor is a valuable target for ransomware operators for multiple reasons:

1. Credential access: Netwrix stores or has access to audit logs of privileged account activity, potentially exposing credentials or authentication patterns
2. Log tampering: Controlling the audit system allows attackers to delete or modify audit trails, covering their tracks across the entire monitored environment
3. SYSTEM-level access: Code execution as NT AUTHORITY\SYSTEM on the Netwrix server enables immediate domain-level privilege escalation in most configurations
4. Trust and access: The Netwrix service account often has read access to vast amounts of sensitive organizational data for auditing purposes

The 13-month gap between public disclosure (June 2022) and KEV addition (July 2023) reflects the continued exploitation of organizations that delayed patching their security auditing infrastructure — a common pattern where security tooling itself receives less rigorous patching discipline than production systems.

Remediation

1. Upgrade Netwrix Auditor to version 10.5 or later: Apply the patch via the Netwrix customer portal (login required). This resolves the deserialization vulnerability.
2. Firewall TCP port 9004: Restrict access to Netwrix's internal service port (9004/TCP) to only the hosts that legitimately need to communicate with the Netwrix Auditor server. Do not allow access from general workstations or internet-facing segments.
3. Audit for compromise: If port 9004 was reachable from broad network segments before patching, conduct forensic review of the Netwrix server for indicators of compromise — unexpected scheduled tasks, new accounts, or modifications to audit logs.
4. Review Netwrix service account: If the Netwrix service account has domain-wide access (common for auditing), audit for unauthorized use of those credentials across the domain.
5. Isolate the Netwrix server: Place the Netwrix Auditor server on a restricted management network accessible only to security operations personnel and authorized Netwrix components.
6. Enable Windows Defender Application Guard or AppLocker: Reducing the attack surface of the Netwrix server OS can limit post-exploitation persistence options even after initial compromise.