CVE-2022-1065

moderate-risk
Published 2022-04-19

A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus ERP v2022 versions prior to R1 of 2022-01-15; v2021 versions prior to R4 of 2022-01-15; v2020 versions prior to R6 of 2022-01-15; v2019 versions later than R5 (service pack); v2018 versions later than R5 (service pack). This issue does not affect: Abacus ERP v2019 versions prior to R5 of 2020-03-15; v2018 versions prior to R7 of 2020-04-15; v2017 version and prior versions and prior versions.

Do I need to act?

~
1.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / LOW complexity

Affected Products (5)

Abacus Erp 2018
Abacus Erp 2019
Abacus Erp 2020
Abacus Erp 2021
Abacus Erp 2022

Affected Vendors

Abacus

References (2)

Exploit https://www.redguard.ch/advisories/abacus_mfa_bypass.txt
Exploit https://www.redguard.ch/advisories/abacus_mfa_bypass.txt
44
/ 100
moderate-risk
Severity 28/34 · Critical
Exploitability 4/34 · Minimal
Exposure 12/34 · Low