CVE-2022-25152 in SAAS
Summary
by MITRE • 06/09/2022
The ITarian platform (SAAS / on-premise) offers the possibility to run code on agents via a function called procedures. It is possible to require a mandatory approval process. Due to a vulnerability in the approval process, present in any version prior to 6.35.37347.20040, a malicious actor (with a valid session token) can create a procedure, bypass approval, and execute the procedure. This results in the ability for any user with a valid session token to perform arbitrary code execution and full system take-over on all agents.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/06/2026
The vulnerability identified as CVE-2022-25152 affects the ITarian platform, a software as a service solution that enables remote management of agents through a procedure execution mechanism. This platform operates in both cloud and on-premise deployments, providing organizations with centralized agent management capabilities. The core functionality relies on procedures that can be executed on remote agents, with the platform implementing an approval workflow to control who can execute potentially dangerous operations. The vulnerability stems from a critical flaw in the approval process implementation, which has been present in all versions prior to 6.35.37347.20040, creating a significant security weakness that undermines the platform's access control mechanisms.
The technical flaw manifests as a bypass in the mandatory approval workflow that should prevent unauthorized procedure execution. A malicious actor possessing a valid session token can exploit this vulnerability to create new procedures without undergoing the required approval process. This represents a fundamental breakdown in the platform's authorization controls, where the approval system fails to properly validate procedure creation requests. The vulnerability operates at the application level and demonstrates a classic case of insufficient authorization checking, which falls under CWE-285 - Improper Authorization. The flaw allows for privilege escalation from a regular authenticated user to full system administrator privileges across all managed agents, effectively compromising the entire agent network.
The operational impact of this vulnerability is severe and far-reaching, as it enables complete system takeover of all agents managed by the vulnerable ITarian platform. Any user with a valid session token can execute arbitrary code on target systems, potentially leading to data exfiltration, system compromise, lateral movement within networks, and complete organizational infrastructure takeover. This vulnerability particularly affects organizations that rely heavily on remote agent management for security operations, system maintenance, and compliance monitoring. The implications extend beyond simple code execution to include potential persistence mechanisms, privilege escalation to system-level access, and the ability to manipulate agent configurations. From an attacker's perspective, this vulnerability provides a powerful foothold that bypasses normal security controls and can be exploited to gain unauthorized access to sensitive systems.
Organizations should immediately upgrade to version 6.35.37347.20040 or later to remediate this vulnerability, as no effective workarounds exist for this specific approval bypass issue. The patch addresses the core authorization flaw by implementing proper validation of procedure creation requests and ensuring that all new procedures must undergo the mandatory approval workflow regardless of user session state. Security teams should conduct immediate vulnerability assessments of their ITarian deployments to identify affected systems and implement additional monitoring for suspicious procedure creation activities. This vulnerability aligns with ATT&CK technique T1059.001 - Command and Scripting Interpreter, as it enables arbitrary code execution, and T1566.001 - Phishing - Spearphishing Attachment, if the initial compromise occurs through email-based attack vectors. Organizations should also review their session management practices and implement additional controls such as session token rotation and enhanced monitoring of procedure execution activities to prevent exploitation of similar authorization flaws in other systems.