CVE-2022-44000

Vulnerability

BACKCLICK Professional on-premises version 5.9.63 contains an exposed internal communication interface. The PHP-to-Java bridge, accessible at /bc/*.phpjavabridge via HTTP, accepts XML-based requests that allow low-level interaction with Java objects. This interface is publicly accessible without authentication, enabling invocation of arbitrary Java methods such as java.lang.Runtime.getRuntime().exec() [1]. The vulnerability is classified as CWE-913 (Improper Control of Dynamically-Managed Code Resources) and CWE-306 (Missing Authentication for Critical Function) [1].

Exploitation

An attacker with network access to the BACKCLICK server can send a crafted HTTP PUT request to the /bc/*.phpjavabridge endpoint. Using XML-based method invocation, the attacker can call java.lang.Runtime.getRuntime().exec() to execute arbitrary system commands in the context of the application server [1]. No prior authentication is required, as the internal interface is exposed without access control. The advisory provides a proof-of-concept using curl [1]. Reference [2] notes that some attacks in this series can be performed via the external web interface, while others are restricted to internal services; for CVE-2022-44000, the exposed endpoint may be reachable externally if not firewalled.

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands on the server with the privileges of the BACKCLICK application server process. This can lead to full server compromise, including data exfiltration, installation of malware, or further lateral movement within the network. The impact is high, with complete loss of confidentiality, integrity, and availability [1].

Mitigation

As of the advisory publication date (2022-11-14), the manufacturer's solution status is unknown [1]. The SySS advisory notes that details of remediation are not available from the vendor [2]. No workaround or patch is provided in the references. Administrators should restrict network access to the /bc/*.phpjavabridge endpoint using firewall rules or reverse proxy configurations until an official fix is released. If the BACKCLICK instance is no longer supported, migration to an alternative solution is recommended.