CriticalCISA KEVExploited in the wildPublic exploit

Netwrix Auditor User Activity Video Recording Remote Code Execution

IdentifiersCVE-2022-31199CWE-502· Deserialization of Untrusted Data

CVE-2022-31199 is a critical unauthenticated remote code execution vulnerability in the Netwrix Auditor User Activity Video Recording (UAVR) component. The issue exists in the underlying .NET remoting protocol used by the UAVRServer service, exposed on TCP port 9004, and is caused by insecure deserialization of attacker-controlled .NET objects. A remote attacker can send a crafted serialized payload to the vulnerable endpoint without authentication or user interaction and trigger arbitrary code execution on the Netwrix Auditor server or affected agents installed on monitored systems. Successful exploitation results in code execution as NT AUTHORITY\SYSTEM. The content states the issue affects Netwrix Auditor versions earlier than 10.5 and has been observed exploited in the wild.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows full remote code execution with NT AUTHORITY\SYSTEM privileges on affected Netwrix Auditor servers and monitored systems running vulnerable agents. Because Netwrix Auditor commonly operates with extensive privileges in enterprise and Active Directory environments, compromise can result in complete system takeover, theft or manipulation of sensitive audit data, installation of malware or ransomware, lateral movement, and potentially broader domain compromise. The vulnerability has high impact on confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

Restrict network access to the UAVRServer service on TCP port 9004 using host and network firewalls, and limit access to trusted administrative networks only. Reduce or eliminate internet exposure of the service, segment Netwrix Auditor infrastructure from untrusted networks, and monitor for unexpected connections or exploitation attempts targeting port 9004. Where immediate patching is not possible, disable or isolate the vulnerable component if operationally feasible.

Remediation

Patch, then assume compromise.

Upgrade Netwrix Auditor to version 10.5 or later, as the content identifies versions prior to 10.5 as affected. Apply vendor-provided fixes to both the Netwrix Auditor server and any deployed agents using the vulnerable User Activity Video Recording component. Validate that the UAVR service is no longer vulnerable after upgrade and review exposed monitored systems for the presence of outdated agents.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app

CVE-2022-31199MaturityPoCVerified exploit

This repository provides a comprehensive lab and exploit toolkit for CVE-2022-31199, a critical unauthenticated remote code execution vulnerability in Netwrix Auditor (<10.5) via insecure .NET Remoting deserialization. The structure includes: - A vulnerable server simulator (Python and C#/.NET versions) that mimics the Netwrix UAVRServer endpoint on TCP port 9004, with intentionally insecure deserialization settings (TypeFilterLevel=Full). - Exploit scripts in Python (exploit.py, test_exploit.py) and PowerShell (exploit.ps1) that can check for the vulnerability and deliver serialized payloads to achieve RCE. The Python scripts can use payloads generated by ysoserial.net, and the PowerShell script automates the full attack chain. - Dockerfiles and docker-compose files for easy lab deployment on Windows, Linux, and macOS, including both the vulnerable server and an attacker machine. - Detection rules (Snort, YARA) and a Nuclei template for automated detection and scanning. - Documentation and guides for both manual and automated exploitation, including example payloads and post-exploitation steps. The main attack vector is network-based, targeting the .NET Remoting service on TCP port 9004. The exploit achieves SYSTEM-level code execution by sending a malicious serialized object to the UAVRServer endpoint. The repository is well-structured for both educational and practical exploitation, with clear separation between vulnerable server code, exploit tools, detection signatures, and documentation.

developerfredDisclosed Nov 17, 2025pythonpowershellnetwork

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

NetwrixAuditorapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

nuclei templates pull requestsNews

Nov 19, 2025

Added CVE-2022-31199 - Netwrix Auditor TCP RCE Template

A critical remote code execution vulnerability in Netwrix Auditor's User Activity Video Recording (UAVR) component, caused by insecure object deserialization in the .NET remoting protocol. Allows unauthenticated attackers to execute arbitrary code as SYSTEM, potentially compromising Active Directory environments.

vulncheck blogNews

Mar 9, 2023

The VulnCheck 2022 Exploited Vulnerability Report - Missing CISA KEV Catalog Entries

A vulnerability in Netwrix Auditor used for initial access; linked to Truebot activity and later Clop ransomware operations.

ic3 alertsNews

Feb 8, 2026

Netwrix Auditor insecure deserialization enabling code execution.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2022-31199

NVD

nvd.nist.gov/vuln/detail/CVE-2022-31199

MITRE CWE · CWE-502

Deserialization of Untrusted Data

Third Party Advisory

bishopfox.com/blog/netwrix-auditor-advisory

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-31199