CVE-2022-37027
Description
Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker can enable JMX services and consequently achieve remote code execution as the system user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated administrator of AhsayCBS 9.1.4.0 can inject arbitrary Java JVM options via the web interface, leading to remote code execution as SYSTEM after a restart.
Vulnerability
Ahsay Cloud Backup Suite (AhsayCBS) version 9.1.4.0 for Windows allows an authenticated system user (administrator) to inject arbitrary Java Virtual Machine (JVM) options through the Runtime Options settings in the web interface. The affected endpoint is /cbs/system/ShowAdvanced.do. The options take effect only after a service restart. Version 9.3.2.48 is reported as not vulnerable [1][2].
Exploitation
An attacker with valid administrative credentials to the web interface can intercept the POST request to ShowAdvanced.do and modify the request parameters (e.g., editConfigBean.*) to include malicious JVM options. For example, the attacker can enable Java Management Extensions (JMX) services by injecting -Dcom.sun.management.jmxremote and related options. No additional user interaction or network position beyond authenticated access to the web UI is required [2].
Impact
Successful exploitation allows the attacker to achieve remote code execution (RCE) as NT AUTHORITY\SYSTEM on the Windows host after a restart of the AhsayCBS service. This results in complete compromise of the system's confidentiality, integrity, and availability [2].
Mitigation
AhsayCBS version 9.3.2.48 fixes the vulnerability [2]. The vendor's release notes for v9.3.2.0 are available [4]. There is no indication that CVE-2022-37027 is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. If immediate patching is not possible, restrict administrative access to the web interface to trusted users and monitor for unauthorized configuration changes.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Ahsay/AhsayCBSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- wiki.ahsay.com/doku.phpmitrex_refsource_MISC
- www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jspmitrex_refsource_MISC
- www.ahsay.com/partners/en/home/index.jspmitrex_refsource_CONFIRM
- www.compass-security.com/en/research/advisoriesmitrex_refsource_MISC
- www.compass-security.com/fileadmin/Research/Advisories/2022_12_CSNC-2022-009_AhsayCBS_Java_Runtime_Parameter_Injection.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.