CVE-2022-4991
Awaiting Analysis Awaiting Analysis - Queue
OpenSSL Configuration Path Traversal in Tychon

Publication date: 2026-06-01

Last updated on: 2026-06-02

Assigner: CERT/CC

Description
Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that may be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2022-4991
EUVD
EUVD-2022-55995
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tychon tychon endpoint
openssl openssl *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Tychon, which includes an OpenSSL component that uses an OPENSSLDIR variable pointing to a subdirectory that an unprivileged Windows user can control.

Because Tychon runs a privileged service using this OpenSSL component, an attacker who can place a specially crafted openssl.cnf file in the specified directory can exploit this to execute arbitrary code with SYSTEM privileges.

Impact Analysis

If exploited, this vulnerability allows an attacker with low privileges to escalate their privileges to SYSTEM level on a Windows system running the vulnerable Tychon version.

This means the attacker can execute arbitrary code with the highest system privileges, potentially leading to full system compromise.

Detection Guidance

This vulnerability can be detected by checking if the system is running a vulnerable version of Tychon that includes the affected OpenSSL component with a configurable OPENSSLDIR path. Specifically, you should verify if the Tychon Endpoint version is older than 1.7.857.82.

Additionally, you can inspect the filesystem for the presence of a specially crafted openssl.cnf file placed by an unprivileged user in the directory specified by the OPENSSLDIR variable.

Suggested commands to detect this might include:

  • Check the installed Tychon Endpoint version to confirm if it is older than 1.7.857.82.
  • Search for openssl.cnf files in directories that could be controlled by unprivileged users, for example using PowerShell: Get-ChildItem -Path <OPENSSLDIR_path> -Filter openssl.cnf -Recurse
  • Review permissions on the OPENSSLDIR directory to see if unprivileged users have write access.
Mitigation Strategies

The immediate mitigation step is to upgrade Tychon Endpoint to version 1.7.857.82 or later, which includes an updated OpenSSL library that resolves this vulnerability.

In the meantime, restrict write permissions on the directory specified by the OPENSSLDIR variable to prevent unprivileged users from placing malicious openssl.cnf files.

Monitor the system for any suspicious files or activity related to openssl.cnf in the OPENSSLDIR path.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-4991. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart