Unrated severityCISA KEVNVD Advisory· Published Mar 24, 2023· Updated Oct 21, 2025

CVE-2022-42948

Description

Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI.

Affected products

Cobalt Strike/Cobalt Strikedescription

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

thesecmaster.com/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike/mitre
www.cobaltstrike.com/blog/mitre
www.redpacketsecurity.com/helpsystems-cobalt-strike-code-execution-cve-2022-42948/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.018
exploit	0.000
kev	0.120
patch	0.000
ransomware	0.000