CVE-2022-36117
Description
An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for an authenticated user to reverse engineer the Blue Prism software and circumvent access controls for an administrative function. If credential access is configured to be accessible by a machine or the runtime resource security group, using further reverse engineering, an attacker can spoof a known machine and request known encrypted credentials to decrypt later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated attacker can reverse-engineer Blue Prism Enterprise 6.0–7.01 and bypass admin access controls, potentially decrypting stolen credentials.
Vulnerability
This issue exists in Blue Prism Enterprise versions 6.0 through 7.01. In a misconfigured environment exposing the Blue Prism Application server, an authenticated user can reverse-engineer the software and circumvent access controls for an administrative function. The vulnerability is described in the CVE description [1][2].
Exploitation
The attacker must have authenticated access to a misconfigured Blue Prism Application server. If credential access is configured to be accessible by a machine or the runtime resource security group, the attacker can use reverse engineering to spoof a known machine and request known encrypted credentials. The vendor notes that exploitation requires several complex pre-requisites, including that the Blue Prism platform components are not set up in a logically secured network as recommended [2].
Impact
Upon successful exploitation, an attacker can obtain encrypted credentials and later decrypt them. This leads to disclosure of sensitive credentials, potentially compromising the Blue Prism environment and the systems it controls. The vendor rates the potential impact as critical but notes a low probability of exploitation due to the strict prerequisites [2].
Mitigation
SS&C Blue Prism has incorporated patches into version 7.1, which is the latest release and can be downloaded from the vendor. Patches are also being prepared for versions starting at 6.4. Cloud customers are not affected because the cloud platform follows security best practices. The recommended workaround is to follow the Blue Prism Robotic Operating Model (ROM) practices, including logical network segmentation and allow-listing connections [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Blue Prism/Blue Prism Enterprisedescription
- Range: >=6.0, <=7.01
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- blueprism.commitrex_refsource_MISC
- community.blueprism.com/discussion/security-vulnerability-notification-ssc-blue-prism-enterprisemitrex_refsource_MISC
- portal.blueprism.com/security-vulnerabilities-august-2022mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.