News Report: Vulnerability CVE-2022-28958 Erroneously Recognized and Deleted
The recently detected vulnerability of the CVE-2022-28958, added by the Cybersecurity and Infrastructure Security Agency (CISA) to the catalog of well-known exploited vulnerabilities (Known Exploited Vulnerabs, KEV), was officially recognized as erroneous and deleted from the catalog. This solution followed after the National Vulnerability Database (NVD) canceled the status of CVE as “vulnerabilities” after a multi-month review.
Initially, it was believed that the vulnerability was a critical error of the remote code (Remote Code Execution, RCE) with a CVSS score of 9.8 in an outdated D-Link (Dir-816L) router. However, it has been discovered that it does not actually affect the systems.
Vulncheck, a cybersecurity company, described the CVE-2022-28958 as a “not real vulnerability.” The company found a mistake in the evidence of the concept (Proof of Concept, POC), indicating the wrong final point, which did not allow the remote execution of the code by the vulnerability.
Vulncheck emphasized that the initial disclosure of the vulnerability mistakenly convinced Mitre, NVD, and CISA of its importance. Even the attackers who included this error in the possibility of the Moobot Botnet found that it did not work. According to Vulncheck, there has never been a large-scale use of this vulnerability. Therefore, the vulnerability should not have been included in the Mitre list and in the KEV CISA catalog.
It is important to note that the other two errors, the CVE-2022-28955 and CVE-2022-28956, presented by Vulncheck, are still considered vulnerabilities and were not rejected. However, according to Vulncheck, the first flaw has a low impact on safety or no impact at all, while the second is a real problem but is a duplicate of four other CVEs.
Supplier of the analysis of the Internet traffic Greynoise has decided to stop tracking CVE-2022-28958, despite several attempts to use exploits still being undertaken. Greynoise noted that “erroneous” vulnerabilities can lead to unnecessary anxiety and the allocation of resources in the cybersecurity community, and can also undermine confidence