CVE-2022-4510

CVE Database · CVE-2022-4510

CVE-2022-4510

· HIGHModified

CVSS v3.1

7.8

EPSS

21.71%

Published

Jan 26, 2023

Modified

Dec 16, 2025

Public PoC / Exploit (2)

All weaponized →

Exploit-DBBinwalk v2.3.2 - Remote Command Execution (RCE)TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins. This vulnerability is associated with program files src/binwalk/plugins/unpfs.py. This issue affects binwalk from 2.1.2b through 2.3.3 included.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-22CWE-22

Affected Products (1)

microsoft · binwalk (up to 2.3.3)vulnerable

References (5)

https://github.com/ReFirmLabs/binwalk/pull/617

ExploitPatchThird Party Advisory

https://security.gentoo.org/glsa/202309-07

https://github.com/ReFirmLabs/binwalk/pull/617

ExploitPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2025/12/msg00022.html

https://security.gentoo.org/glsa/202309-07

KEV Catalog EPSS Scores Vendors All CVEs