The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2022-23410

CVE-2022-23410: Axis IP Utility RCE Vulnerability

CVE-2022-23410 is a remote code execution flaw in Axis IP Utility caused by DLL hijacking. Attackers can exploit this to execute malicious code or escalate privileges. This article covers technical details, affected versions, and mitigation.

Published: February 11, 2026

CVE-2022-23410 Overview

CVE-2022-23410 is a DLL hijacking vulnerability affecting AXIS IP Utility before version 4.18.0. The vulnerability allows attackers to achieve remote code execution and local privilege escalation by placing a malicious DLL in the same directory as the IPUtility.exe executable. When the application launches, it attempts to load DLLs from its current working directory without proper validation, enabling the execution of attacker-controlled code with the privileges of the running process.

Critical Impact

Successful exploitation enables remote code execution and local privilege escalation, potentially allowing attackers to gain complete control over affected systems running AXIS IP Utility.

Affected Products

  • AXIS IP Utility versions prior to 4.18.0
  • Systems running IPUtility.exe from directories accessible to attackers

Discovery Timeline

  • 2022-02-14 - CVE-2022-23410 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-23410

Vulnerability Analysis

This vulnerability is classified under CWE-427 (Uncontrolled Search Path Element), a weakness category that describes applications that search for critical resources using an externally controlled search path. The IPUtility.exe application fails to properly validate or specify the complete path for DLL dependencies, instead relying on the Windows DLL search order which includes the current working directory.

When a user executes IPUtility.exe from a directory containing a malicious DLL—such as when opening a file from a network share or download folder—Windows will load the attacker's DLL before legitimate system libraries. This occurs because Windows searches the application's current working directory before the system directories in its default DLL search order.

The vulnerability requires user interaction to trigger, specifically the user must execute the application from a directory where an attacker has placed a malicious DLL. This attack vector is commonly seen in scenarios where users open files from untrusted locations such as email attachments, network shares, or downloaded archives.

Root Cause

The root cause of this vulnerability lies in the application's failure to implement secure DLL loading practices. IPUtility.exe does not use absolute paths when loading required DLL dependencies, nor does it employ Windows API functions like SetDllDirectory("") to remove the current working directory from the search path. This design flaw allows the Windows loader to search for DLLs in potentially attacker-controlled locations.

Attack Vector

The attack requires local access to place a malicious DLL in a directory where the victim will execute AXIS IP Utility. Common attack scenarios include:

  1. An attacker places a malicious DLL alongside a legitimate file in a shared network folder or download location
  2. The victim navigates to this location and executes IPUtility.exe or opens a file that triggers the application
  3. Windows loads the malicious DLL from the current working directory
  4. The attacker's code executes with the privileges of the user running the application, potentially leading to full system compromise if the user has administrative privileges

The vulnerability exploits the Windows DLL search order mechanism where applications that don't specify absolute paths for their DLL dependencies will search the current working directory, creating an opportunity for DLL hijacking attacks.

Detection Methods for CVE-2022-23410

Indicators of Compromise

  • Unexpected DLL files appearing in directories alongside AXIS IP Utility or in user download folders
  • DLL files with names matching common Windows system libraries located outside of %SystemRoot%\System32
  • Process creation events showing IPUtility.exe loading DLLs from unusual locations
  • Suspicious child processes spawned from IPUtility.exe

Detection Strategies

  • Monitor for DLL loading events from IPUtility.exe where the DLL path does not match expected system directories
  • Deploy endpoint detection rules to alert on DLL side-loading patterns associated with this application
  • Implement file integrity monitoring on directories commonly used for DLL hijacking attacks
  • Use application allowlisting to prevent unauthorized DLLs from being loaded

Monitoring Recommendations

  • Enable Windows Sysmon logging with configuration to capture ImageLoad events (Event ID 7) for IPUtility.exe
  • Monitor process creation logs for any child processes spawned from IPUtility.exe
  • Review security logs for privilege escalation attempts following AXIS IP Utility execution
  • Implement network monitoring for unusual outbound connections from the AXIS IP Utility process

How to Mitigate CVE-2022-23410

Immediate Actions Required

  • Update AXIS IP Utility to version 4.18.0 or later immediately
  • Audit systems for vulnerable versions of AXIS IP Utility and prioritize remediation
  • Ensure users do not run AXIS IP Utility from untrusted directories such as download folders or network shares
  • Review recent DLL files created in user-accessible directories for potential malicious content

Patch Information

Axis has released version 4.18.0 of the IP Utility which addresses this vulnerability. Organizations should download the updated version from official Axis distribution channels. For detailed information about the security fix, refer to the Axis Security Advisory CVE-2022-23410.

Workarounds

  • Configure Windows Defender Application Control (WDAC) or AppLocker policies to prevent unauthorized DLL loading
  • Run AXIS IP Utility only from its default installation directory, never from download folders or network locations
  • Deploy SentinelOne Singularity Platform to detect and prevent DLL hijacking attempts in real-time
  • Remove write permissions from directories where AXIS IP Utility is commonly executed
  • Educate users about the risks of running applications from untrusted locations

Organizations using SentinelOne can leverage the platform's behavioral AI engine to detect DLL hijacking attempts, including those targeting AXIS IP Utility. The Singularity Platform provides real-time protection against DLL side-loading attacks by monitoring process behavior and DLL loading patterns.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechAxis Ip Utility
  • SeverityHIGH
  • CVSS Score7.8
  • EPSS Probability0.72%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityHigh
  • AvailabilityHigh
  • CWE References
  • CWE-427
  • Vendor Resources
  • Axis Security Advisory CVE-2022-23410
  • Latest CVEs
  • CVE-2025-70797: LimeSurvey XSS Vulnerability
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-35471: Goshs Path Traversal Vulnerability
  • CVE-2026-35393: Goshs Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English