CriticalCISA KEVExploited in the wildPublic exploit

RCE via Unrestricted File Upload in dotCMS ContentResource API

IdentifiersCVE-2022-26352CWE-434

CVE-2022-26352 is a critical vulnerability in dotCMS versions 3.0 through 22.02, specifically in the ContentResource API. The flaw allows attackers to upload files with unsanitized filenames via crafted multipart form requests, enabling directory traversal and saving files outside the intended storage location. If anonymous content creation is enabled, unauthenticated attackers can upload executable files (such as .jsp), leading to remote code execution. This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has a CVSS v3.1 base score of 9.8. Public exploit code is available, and the vulnerability is actively exploited in the wild, including by North Korean threat actors such as H0lyGh0st.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated remote attackers to achieve arbitrary file upload and remote code execution on affected dotCMS instances. This can result in full compromise of the application and underlying server, including data theft, lateral movement, and deployment of ransomware. The vulnerability is actively exploited by threat actors, including the H0lyGh0st ransomware group, leading to significant risks to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable anonymous content creation and restrict access to the ContentResource API. Implement web application firewall (WAF) rules to block suspicious multipart form requests and file uploads with dangerous extensions. Monitor logs for unusual file upload activity and directory traversal attempts. Apply least privilege principles to application and server accounts to limit potential impact.

Remediation

Patch, then assume compromise.

Upgrade dotCMS to a version that addresses CVE-2022-26352 as per vendor advisories. Ensure that all instances are patched, and disable anonymous content creation if not required. Review and restrict file upload functionality to prevent upload of executable files. Monitor for indicators of compromise and apply additional security controls as recommended by the vendor.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

DotcmsDotcmsapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

picus security blogNews

Jul 29, 2022

H0lyGh0st - North Korean Threat Group Strikes Back With New Ransomware

A remote code execution vulnerability in DotCMS that H0lyGh0st uses for initial access by exploiting public-facing web applications/content management systems.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence3

Every observed campaign linking this CVE to a named adversary.

Associated malware4

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2022-26352

NVD

nvd.nist.gov/vuln/detail/CVE-2022-26352

MITRE CWE · CWE-434

cwe.mitre.org

Third Party Advisory

packetstormsecurity.com/files/167365/dotCMS-Shell-Upload.html

Third Party Advisory

groups.google.com/g/dotcms

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26352