CVE-2022-21587 & CVE-2023-22952 Vulnerabilities Being Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities impacting Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite and SugarCRM software to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation in the wild.

The first now-patched critical flaw, tracked as CVE-2022-21587, is rated 9.8 on the CVSS scoring system and could be leveraged to take over Oracle Web Applications Desktop Integrator. An unspecified vulnerability in Oracle E-Business Suite related to the Web Applications Desktop Integrator Application Service Upload component could allow an unauthenticated attacker to cause a high confidentiality impact, high integrity impact, and high availability impact.


The bug impact product Oracle Web Applications Desktop Integrator versions 12.2.3 and 12.2.11 have been addressed in the Oracle Critical Patch Update Advisory – October 2022.

Another flaw tracked as CVE-2023-22952 (CVSS score of 8.8) affects SugarCRM which could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper input validation. By sending a specially-crafted request using the EmailTemplates, an attacker could exploit this vulnerability to execute arbitrary PHP code on the system.

A Remote Code Execution vulnerability has been identified in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates because of missing input validation. Any user privileges can exploit this vulnerability,” SugarCRM noted in an advisory published in January 2023.

CVE-2023-22952 affects the products –

Product Fixed Release
SugarCRM 12.0
Enterprise, Sell, Serve
SugarCRM 11.0
Professional, Enterprise, Ultimate, Sell, Serve

CISA did not disclose any additional specifics about how the vulnerabilities are being weaponized in real-world attacks. Federal agencies in the U.S. are required to patch their systems by February 23, 2023.