CVE-2022-39197

What is Cobalt Strike?

Cobalt Strike is a commercial adversary simulation and penetration testing platform used by red teams to simulate advanced threat actor tactics. It consists of a Teamserver (the C2 server that operators control) and Beacon (the implant agent deployed on target systems). Beacon calls home to the Teamserver, reporting in with connection metadata including a configurable username. The Teamserver's web-based operator UI displays this Beacon metadata — creating an attack surface where malicious Beacon check-in data can influence the operator's browser.

Overview

CVE-2022-39197 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in the Cobalt Strike Teamserver. An attacker who has gained code execution on a victim system and deployed a Cobalt Strike Beacon (or who controls a rogue Beacon) can craft a malicious username in the Beacon configuration. When the Beacon calls home to the Teamserver, this username is displayed in the operator UI — and if it contains JavaScript, that script executes in the operator's browser. The attacker can use this to attack the Cobalt Strike operator themselves: stealing session cookies, pivoting to the operator's machine, or disrupting red team operations. Fortra issued an out-of-band patch (4.7.1) to address this.

Affected Versions

Technical Details

Beacon agents periodically check in to the Teamserver and transmit metadata including the configured computer name and username. The Teamserver did not sanitize this metadata before rendering it in the operator UI (the Sessions tab and related views), creating a stored XSS condition:

• Attack path: Attacker deploys a rogue Beacon with a username containing a JavaScript payload → Beacon checks in to the Teamserver → Teamserver stores and displays the unsanitized username in the operator UI → JavaScript executes in the operator's browser session
• No authentication required: The attacker only needs the ability to connect to the Teamserver's listener port with a crafted Beacon check-in — no Teamserver credentials needed
• Impact: Full control over the operator's browser session, including cookie theft and session hijacking against the Teamserver itself
• Reverse-attack scenario: Blue teamers or defenders operating honeypot Beacons can potentially attack red team operators who interact with their systems using unpatched Cobalt Strike

Discovery

Reported by multiple security researchers examining the Cobalt Strike attack surface. The vulnerability was notable because it demonstrates the security implications of the Teamserver rendering attacker-controlled data in a web interface.

Exploitation Context

CISA added CVE-2022-39197 to KEV in March 2023, reflecting that threat actors — including groups who cracked or pirated Cobalt Strike — exploited this vulnerability. Rogue or modified Cobalt Strike deployments used by criminal actors could be targeted by defenders using this technique to compromise operator infrastructure. The practical exploitation context is dual-use: red teams using unpatched Cobalt Strike are themselves vulnerable to blue team or threat actor counterattacks via crafted Beacon responses.

Remediation

1. Upgrade Cobalt Strike to version 4.7.1 or later immediately
2. If immediate upgrade is not possible, restrict Teamserver UI access to trusted IPs via firewall rules
3. Audit Cobalt Strike license use — pirated versions will not receive updates and remain permanently vulnerable
4. Review Teamserver access logs for unexpected Beacon connections that could indicate attempted exploitation
5. Implement network-level filtering on Teamserver listener ports to block unexpected source IPs