December 6, 2023 at 09:52AM
CISA removed CVE-2022-28958, a supposed critical flaw in a D-Link router, from its Known Exploited Vulnerability catalog after a review revealed it was not a real vulnerability. VulnCheck debunked the issue, originally believed to allow remote code execution. The flaw was included due to an invalid proof of concept but was never exploitable at scale.
Meeting Takeaways:
1. CVE-2022-28958, once considered a critical RCE vulnerability affecting a D-Link router, has been debunked and dismissed as a “fake vulnerability” by cybersecurity experts.
2. CISA removed CVE-2022-28958 from its KEV, and the NVD no longer classifies it as a vulnerability after extensive review.
3. The supposed vulnerability carried a 9.8 severity score but was proven to have no actual impact on the systems it was thought to affect.
4. Jacob Baines, CTO of VulnCheck, discovered that the PoC code for the vulnerability contained significant errors, leading to incorrect endpoint targeting and thus failing to execute the RCE.
5. Despite initial belief in its potential threat, both threat actor implementations (such as Moobot) and the originally reported vulnerability failed to function as claimed.
6. Baines stressed that at-scale exploitation of CVE-2022-28958 never occurred and it should not be listed by MITRE or included in CISA’s KEV.
7. A dispute regarding the validity of CVE-2022-28958 was filed with MITRE by Baines, and findings were shared with CISA in October 2022.
8. Of the four vulnerabilities reported along with CVE-2022-28958, CVE-2022-28955 and CVE-2022-28956 still stand as recognized vulnerabilities, although one is considered low impact and the other a duplicate of existing CVEs.
9. Greynoise will no longer be tracking CVE-2022-28958 due to its status as a non-vulnerability, though some exploit attempts persist.
10. The incident serves as an industry-wide reminder on the necessity of diligent vulnerability verification to maintain trust in the vulnerability reporting and management systems.
Please ensure all relevant teams are updated with this information and adjust any security measures or resource allocations that were based on the initial reports of CVE-2022-28958 being a threat.