CVE-2022-32290
Description
The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorrect Access Control. It listens on a random, unprivileged TCP port and exposes an HTTP proxy to facilitate API calls from additional client components running on the device. However, it listens on all network interfaces instead of only the localhost interface. Therefore, any client on the same network can connect to this TCP port and send HTTP requests. The Mender Client will forward these requests to the Mender Server. Additionally, if mTLS is set up, the Mender Client will connect to the Mender Server using the device's client certificate, making it possible for the attacker to bypass mTLS authentication and send requests to the Mender Server without direct access to the client certificate and related private key. Accessing the HTTP proxy from the local network doesn't represent a direct threat, because it doesn't expose any device or server-specific data. However, it increases the attack surface and can be a potential vector to exploit other vulnerabilities both on the Client and the Server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mender Client 3.2.0–3.2.2 exposes an HTTP proxy on all interfaces, allowing network attackers to bypass mTLS and relay requests to the server.
Vulnerability
The Mender Client versions 3.2.0, 3.2.1, and 3.2.2 contain an incorrect access control vulnerability. The client listens on a random, unprivileged TCP port and exposes an HTTP proxy intended for local API calls from other client components. However, it binds to all network interfaces instead of only the localhost interface [2].
Exploitation
An attacker on the same network as the device can connect to the open TCP port and send arbitrary HTTP requests through the proxy. If mutual TLS (mTLS) is configured, the Mender Client will use the device's client certificate to authenticate with the Mender Server. The attacker can thus forward requests to the server without possessing the client certificate or private key [2]. No authentication or user interaction is required beyond network access.
Impact
By leveraging the proxy, an attacker can bypass mTLS authentication and send requests to the Mender Server as the compromised device. While the proxy itself does not directly expose device or server data, it increases the attack surface and can be used to chain with other vulnerabilities on the client or server, potentially leading to unauthorized operations or data access [2].
Mitigation
The vulnerability was fixed in Mender Client version 3.3.0 [2]. Users are strongly advised to upgrade to 3.3.0 or later. No workarounds are provided for the affected versions. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 3.2.0, 3.2.1, 3.2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- mender.io/blog/cve-2022-32290-mender-client-listening-on-all-the-interfacesmitrex_refsource_MISC
- northern.techmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.