CVE-2022-31199 Overview
CVE-2022-31199 is an insecure deserialization vulnerability [CWE-502] in the Netwrix Auditor User Activity Video Recording component. The flaw affects both the Netwrix Auditor server and the agents deployed to monitored systems. The underlying protocol used by the component accepts attacker-controlled serialized objects without validation. An unauthenticated remote attacker can execute arbitrary code as NT AUTHORITY\SYSTEM on affected hosts. Because Netwrix Auditor agents run on systems across the monitored estate, successful exploitation can extend impact well beyond the Auditor server itself. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2022-31199 to its Known Exploited Vulnerabilities catalog.
Critical Impact
Unauthenticated remote code execution as NT AUTHORITY\SYSTEM on the Netwrix Auditor server and on every monitored system running the Auditor agent.
Affected Products
- Netwrix Auditor server versions prior to 10.5
- Netwrix Auditor User Activity Video Recording agents on monitored systems
- Deployments exposing the affected component on TCP port 9004
Discovery Timeline
- 2022-11-08 - CVE-2022-31199 published to the National Vulnerability Database (NVD)
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2022-31199
Vulnerability Analysis
The vulnerability is an insecure deserialization flaw [CWE-502] in the User Activity Video Recording component shipped with Netwrix Auditor. The component exposes a .NET remoting interface used for inter-process communication between the Auditor server and its agents. The interface deserializes attacker-controlled data without enforcing type restrictions or signature checks. An attacker who can reach the network port hosting the component can submit a crafted serialized payload to trigger code execution during deserialization.
Because the service runs with SYSTEM privileges, exploitation grants full control of the host. The agent component runs on every monitored endpoint, so a single unauthenticated attacker can pivot from the Auditor server to any system in the monitored estate. The vulnerability requires no user interaction and no prior authentication.
Root Cause
The root cause is unsafe use of a .NET binary formatter that reconstructs arbitrary object types from network input. The component does not constrain deserialization to a known type allowlist. Gadget chains available in the .NET runtime and loaded assemblies provide the primitives needed to reach code execution during object graph reconstruction.
Attack Vector
The attack vector is network-based and unauthenticated. An attacker sends a crafted serialized .NET object to the listening port on the Auditor server or on any agent host. Deserialization of the payload triggers a gadget chain that invokes a process or assembly load, yielding command execution as SYSTEM. The Bishop Fox advisory confirms the issue is exploitable across the agent population, enabling lateral movement at scale.
No verified public proof-of-concept code is referenced in the advisory data. Refer to the Bishop Fox Blog Advisory for technical details on the affected protocol and gadget usage.
Detection Methods for CVE-2022-31199
Indicators of Compromise
- Unexpected child processes spawned by Netwrix Auditor binaries such as those under C:\Program Files (x86)\Netwrix Auditor\ running as NT AUTHORITY\SYSTEM
- Outbound or inbound traffic to TCP port 9004 from hosts that are not authorized Netwrix Auditor servers
- New service installations, scheduled tasks, or PowerShell execution chains originating from Netwrix Auditor processes
- Crash, restart, or unusual memory growth events in the User Activity Video Recording service
Detection Strategies
- Monitor for process lineage where Netwrix Auditor service processes spawn cmd.exe, powershell.exe, rundll32.exe, or regsvr32.exe
- Alert on .NET deserialization gadget indicators such as loads of System.Runtime.Remoting or System.Workflow.ComponentModel followed by process creation
- Inspect Windows Event Logs for service installation (Event ID 7045) and new scheduled tasks (Event ID 4698) under SYSTEM context on Auditor hosts
- Hunt for inbound connections to port 9004 from non-Auditor sources using network flow data
Monitoring Recommendations
- Apply network segmentation rules and alert when the Auditor server or its agents communicate with unexpected peers
- Baseline normal Netwrix Auditor process activity and alert on deviations in command line arguments or loaded modules
- Forward Auditor server and agent telemetry to a centralized analytics platform for correlation across the monitored estate
How to Mitigate CVE-2022-31199
Immediate Actions Required
- Upgrade Netwrix Auditor to version 10.5 or later, which removes the vulnerable User Activity Video Recording component
- Identify and inventory every system running a Netwrix Auditor agent and confirm patch status on each host
- Block inbound access to TCP port 9004 at the host firewall and network perimeter for all systems that do not require it
- Treat any internet-exposed Netwrix Auditor instance as potentially compromised and initiate incident response procedures
Patch Information
Netwrix removed the vulnerable User Activity Video Recording component in Netwrix Auditor version 10.5. Customers must upgrade both the server and all deployed agents because the agent component is independently exploitable. Refer to the Bishop Fox Blog Advisory and the CISA Known Exploited Vulnerabilities catalog entry for remediation guidance. CISA KEV listing requires federal agencies to remediate within the prescribed deadline.
Workarounds
- If immediate patching is not possible, disable the User Activity Video Recording feature in the Netwrix Auditor configuration
- Restrict network access to the affected service ports using host firewall rules limited to known Auditor server addresses
- Place Netwrix Auditor servers and agents on an isolated management network with no direct internet exposure
- Rotate credentials and service accounts used by Netwrix Auditor on hosts suspected of exposure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
