The tool that audits everything runs as SYSTEM everywhere. That cuts both ways.

IT-auditing and monitoring tools earn their keep by seeing everything. They install agents across the estate, run with high privileges so they can collect what they need, and quietly watch domain controllers, file servers, and endpoints. That reach is the product. It’s also the problem when one gets compromised, and CVE-2022-31199 is the clean illustration: an unauthenticated remote code execution bug in Netwrix Auditor that runs code as NT AUTHORITY\SYSTEM not just on the Auditor server, but on the monitored systems running its agent. The tool’s privileged reach became the attacker’s.

What the bug is

CVE-2022-31199 is an insecure object deserialization flaw (CWE-502), CVSS 9.8, in the User Activity Video Recording component of Netwrix Auditor before version 10.5. The component exposes a .NET remoting service on TCP port 9004 that deserializes objects from the network without proper validation, so a crafted serialized payload triggers code execution as SYSTEM. Bishop Fox, which found it, noted the impact extends to both the Auditor server and the agents on monitored systems. CISA added it to the Known Exploited Vulnerabilities catalog on July 11, 2023, with the ransomware flag.

One nuance shapes the realistic threat model. The KEV entry notes that exploitation requires reaching port 9004, which standard enterprise firewalling commonly blocks at the perimeter. So this generally isn’t an internet-facing initial-access bug; it’s an internal one. The attacker who exploits it has usually already got a foothold somewhere inside, and is using Netwrix to amplify it. That’s exactly how it showed up in the wild: CISA and partners documented Truebot, malware linked to the Silence group and associated with Cl0p-adjacent operations, using CVE-2022-31199 to gain access and deploy follow-on tooling against organizations in the US and Canada through 2023.

Why the monitoring fleet is a force multiplier

Think about what Netwrix Auditor is positioned to do, and then realize a SYSTEM-level RCE in it inherits all of it. It has agents on the systems it monitors, which often include the most sensitive ones, and it runs with credentials privileged enough to audit Active Directory. A bug that executes as SYSTEM on the server and the agents is therefore a path to:

• Code execution across the monitored estate at once, not on one host. The agent footprint that makes the product useful makes the vulnerability broad.
• Active Directory compromise, because the service account is privileged by design. Auditing AD requires deep read access, and a compromise of the auditing tool is a pivot straight at the directory.
• Stealth, because traffic and activity from a monitoring tool look normal. Defenders rarely scrutinize the thing that’s supposed to be watching everything.

This is the uncomfortable shape of a whole category of software: monitoring, auditing, backup, and management tools are a shadow administration layer. They have standing privileged access to large parts of the environment, and that access doesn’t go through the normal admin pathways you watch. When one is vulnerable, it’s not one server’s worth of risk; it’s a privileged overlay across everything it touches.

What to do

• Patch Netwrix Auditor to 10.5 or later. This is the fix. The patch is gated behind the customer portal, so plan for the login/download step.
• Confirm port 9004 is not reachable from anywhere it shouldn’t be. Since exploitation needs that port, network segmentation is a strong control: the Auditor server and its remoting ports should be reachable only from the systems that legitimately need them, and never from general user segments or the internet.
• Treat your monitoring and management tools as crown-jewel infrastructure. Inventory the privileged agents in your environment, Netwrix and everything like it, and apply the same patch urgency, segmentation, and least-privilege you’d give a domain controller. Run their service accounts with the minimum rights the product genuinely needs, not domain admin by default.
• Watch the watchers. Build detections for the monitoring tools themselves behaving abnormally: the Netwrix service spawning shells or unexpected processes, agents executing commands, and unusual activity on the audit server. The whole point of using a monitoring tool as a pivot is that its activity blends in, so it needs explicit scrutiny.
• If you ran an unpatched, internally-reachable instance, investigate. Truebot and its follow-on (FlawedGrace, Cobalt Strike, Teleport, and Cl0p) leave traces. Check the Auditor server and agents for compromise, and given the AD access, consider directory exposure.

The reframe is worth carrying to your asset classification. The tools you deploy to gain visibility and control over your environment are, by construction, high-privilege and far-reaching, which makes them disproportionately valuable to an attacker who’s already inside. Netwrix Auditor watching your estate is exactly why a bug in it is dangerous: the compromise inherits the visibility. Classify your monitoring, auditing, and management software as the privileged infrastructure it is, segment it, scope its accounts down, and watch it as closely as it watches everything else. We flag the bugs in this shadow-admin layer because they convert a single internal foothold into reach across the whole environment.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2022-31199 — 2022-11-08
• Bishop Fox: Netwrix Auditor application critical vulnerability advisory — 2022-11
• CISA AA23-187A: Increased Truebot activity infects U.S. and Canada networks — 2023-07-06
• Tenable: Netwrix Auditor < 10.5 insecure object deserialization — 2023