CVE-2022-23851

CriticalPublic PoC

Published: 17 December 2025

Published

17 December 2025

Modified

05 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Netaxis API Orchestrator (APIO) before 0.19.3 allows server side template injection (SSTI).

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the SSTI vulnerability by requiring identification, reporting, and correction of the flaw through patching to Netaxis API Orchestrator version 0.19.3 or later.

SI-10 Information Input Validation good match

prevent

Prevents SSTI exploitation by enforcing validation of all user inputs to the server-side template rendering process using organization-defined tools and techniques.

SI-4 System Monitoring partial match

detect

Supports detection of ongoing SSTI attacks by monitoring the system for indicators of malicious template injection and unauthorized activities.

Security SummaryAI

Netaxis API Orchestrator (APIO), versions prior to 0.19.3, is affected by CVE-2022-23851, a server-side template injection (SSTI) vulnerability classified under CWE-1336. This flaw allows attackers to inject malicious templates into the application's server-side rendering process. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for widespread remote exploitation.

Unauthenticated attackers with network access can exploit this SSTI vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact compromise, including unauthorized access to sensitive data (confidentiality), modification of system resources (integrity), and disruption of services (availability), potentially leading to full server control.

Advisories recommend upgrading to Netaxis API Orchestrator version 0.19.3 or later to mitigate the issue. Additional details are available in the vendor product page at https://www.netaxis.be/products/apio/ and the security blog post at https://blog.tig00r.me/post/CVE-2022-23851. The CVE was published on 2025-12-17T15:15:48.387.

Details

CWE(s): CWE-1336

Affected Products

netaxis

api orchestrator

≤ 0.19.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SSTI vulnerability in public-facing Netaxis API Orchestrator enables unauthenticated remote exploitation of a public-facing application (T1190), allowing high-impact compromise including full server control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://blog.tig00r.me/post/CVE-2022-23851
Exploit, Third Party Advisory · cve@mitre.org
https://www.netaxis.be/products/apio/
Product · cve@mitre.org