Home / Threat Intelligence bulletins / Attacks using the virus Truebot use a bug in Netwrix Auditor RCE

Target Industry

Indiscriminate, opportunistic attacks.


Unauthorised attackers can run malicious code with the rights of the SYSTEM user thanks to a problem identified as CVE-2022-31199 that affects the Netwrix Auditor server and the agents installed on monitored network systems.


Successful exploitation of CVE-2022-31199 could allow an unauthenticated remote threat actor to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against known threats. EDRs can alert system users of potential breaches and prevent further progress prior to the malware being able to implement considerable damage.

Affected Products

Netwrix Auditor software.

Containment, Mitigations & Remediations

You should install patches to fix the CVE-2022-31199 vulnerability and update Netwrix Auditor to version 10.5 if your company uses Netwrix’s IT system auditing software.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Netwrix Auditor occupies a significant portion of the IT and technology services industry market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, this software could become a prime target. Due to the fact that Netwrix products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the products in an attempt to extract the sensitive data contained therein.

Threat Group

Since December 2022, TA505 hackers (affiliated with the FIN11 organisation) have been using TrueBot, a malware downloader related to the Russian-speaking Silence cybercrime group, to spread Clop ransomware to infected networks. The FlawedGrace Remote Access Trojan (RAT), which is also connected to the TA505 group, is installed by the attackers on penetrated networks after TrueBot, enabling them to elevate privileges and establish persistence on the compromised systems.

Mitre Methodologies

TA0002 – Execution

Further Information


FIN11 hackers jump into the ransomware money-making scheme 

Remote code execution vulnerabilities exist in the Netwrix Auditor 

Netwrix auditor user activity video recording deserialization 


An Intelligence Terminology Yardstick to showing the likelihood of events