CVE-2022-42948

What is Fortra Cobalt Strike?

Cobalt Strike is a commercial adversary simulation and red team platform developed by Fortra (formerly Help Systems). It is widely used by penetration testers, red teams, and security operations teams to simulate advanced persistent threats and test defensive controls. Cobalt Strike consists of a team server component (which operators connect to from a client) and the Cobalt Strike client application — a Java Swing-based graphical user interface that operators use to manage engagements, create payloads, and interact with compromised systems. While designed for legitimate security testing, Cobalt Strike is also extensively used by threat actors and ransomware groups, who distribute cracked or leaked copies for malicious operations.

Overview

CVE-2022-42948 is a critical remote code execution vulnerability (CWE-116, CVSS 9.8) in the Fortra Cobalt Strike client's Java Swing-based user interface. An attacker who controls a Cobalt Strike team server can exploit this vulnerability to execute arbitrary code on the client machine of any operator who connects to that team server with a vulnerable Cobalt Strike version. This vulnerability is notable because it specifically targets the security tool itself, affecting the machines of security professionals using Cobalt Strike — or, in the context of unauthorized/cracked Cobalt Strike use, potentially enabling "counter-exploitation" of threat actors using pirated copies.

Affected Versions

Technical Details

The vulnerability (CWE-116: Improper Encoding or Escaping of Output) exists in the Cobalt Strike client's Java Swing user interface layer. Java Swing is the standard Java GUI framework; the Cobalt Strike client renders data received from the team server in Swing UI components.

The vulnerability arises from improper handling or escaping of data received from the team server before it is rendered in Swing UI components. Java Swing's HTML rendering capabilities (supported in some label and text components via the text/html MIME type) can be exploited if attacker-controlled content is rendered as HTML without proper sanitization.

An attacker who operates a malicious team server (or has compromised a legitimate team server) can send specially crafted responses containing content that, when rendered by the vulnerable Cobalt Strike client's Swing components, triggers code execution on the client machine. The exploitation pathway leverages Java Swing's embedded HTML rendering to inject and execute code.

This type of vulnerability is particularly significant because:

• The attacker needs to control the team server (a high bar for most attackers but feasible for sophisticated actors targeting security professionals)
• Security professionals using Cobalt Strike run it on sensitive workstations with access to internal networks, making compromise of their machines high-value

Discovery

Reported to Fortra (Cobalt Strike's vendor) through responsible disclosure. Fortra released the fix as an out-of-band update (Cobalt Strike 4.7.2) in November 2022, indicating urgency outside their normal release cycle.

Exploitation Context

CVE-2022-42948 is unusual because it targets a security tool used by both defenders and attackers:

Legitimate security professional targeting: Nation-state actors and sophisticated criminal groups that know a target organization's red team uses Cobalt Strike could attempt to set up a rogue team server to exploit this vulnerability against pentesters connecting to it — potentially compromising security professionals' workstations to gain access to the internal networks they're authorized to test.

Cracked Cobalt Strike ecosystem targeting: A large proportion of Cobalt Strike usage by threat actors involves cracked or unlicensed copies. The operators of cracked versions may be targeted through malicious team servers that exploit this vulnerability — effectively "counter-hacking" threat actors. This represents a novel attack surface in the offensive tooling supply chain.

Incident response implications: Organizations responding to Cobalt Strike-based attacks should consider whether the attacking team server itself is vulnerable, and whether attribution or disruption of threat actor infrastructure is feasible.

The KEV addition reflects that CISA determined this vulnerability was actively exploited — likely in the context of targeting security professionals or operators of unauthorized Cobalt Strike instances.

Remediation

1. Update Cobalt Strike to 4.7.2 or later: All organizations using licensed Cobalt Strike should update their team servers and clients via the Fortra update portal immediately.
2. Verify all clients are updated: In a distributed red team environment, ensure every operator's Cobalt Strike client is updated — the client is the vulnerable component, not the team server.
3. Restrict team server access: Cobalt Strike team servers should only accept client connections from trusted operator machines on authorized networks. Use firewall rules and SSL certificate pinning to restrict which clients can connect.
4. Audit team server connections: Review Cobalt Strike team server logs for unexpected client connections from unrecognized IP addresses that may indicate exploitation attempts.
5. Operator workstation security: Red team operator workstations that run Cobalt Strike clients should have EDR, application whitelisting, and endpoint isolation capabilities given their sensitive access to test environments.
6. Remove unauthorized Cobalt Strike instances: Organizations that discover unauthorized Cobalt Strike team servers or clients on their networks (as part of incident response) should recognize these as indicators of active threat actor presence.