PatchSiren cyber security CVE debrief

CVE-2022-4422 Bulutses Information Technologies CVE debrief

CVE-2022-4422 is a critical unauthenticated SQL injection vulnerability in Bulutses Information Technologies' Call Center System (Bulutdesk Callcenter) affecting all versions prior to 3.0. The vulnerability was published in the NVD on January 10, 2023, and carries a CVSS 3.1 score of 9.8 (Critical) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue allows remote, unauthenticated attackers to execute arbitrary SQL commands, potentially leading to complete confidentiality, integrity, and availability compromise of the affected system. The vulnerability is classified under CWE-89 (SQL Injection). Turkish government cybersecurity authorities (USOM and siberguvenlik.gov.tr) issued security advisories tracking this as TR-22-0747. The vendor has released version 3.0 which remediates this vulnerability. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor: Bulutses Information Technologies
Product: Bulutdesk Callcenter
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2023-01-10
Original CVE updated: 2026-05-20
Advisory published: 2023-01-10
Advisory updated: 2026-05-20

Who should care

Organizations operating Bulutses Call Center System (Bulutdesk Callcenter) versions below 3.0, particularly those with internet-facing deployments. Security teams in Turkish-speaking regions should prioritize given local government advisory attention. Database administrators responsible for call center infrastructure should verify patch status immediately.

Technical summary

Unauthenticated SQL injection vulnerability in Bulutses Call Center System (Bulutdesk Callcenter) versions prior to 3.0. Attack vector is network-based with low attack complexity, requiring no privileges or user interaction. Successful exploitation yields high impact on confidentiality, integrity, and availability. Root cause is improper neutralization of special elements used in SQL commands (CWE-89). Remediation available through vendor patch in version 3.0.

Defensive priority

critical

Recommended defensive actions

Upgrade Bulutdesk Callcenter to version 3.0 or later to remediate the unauthenticated SQL injection vulnerability.
If immediate patching is not possible, restrict network access to the Call Center System to trusted administrative hosts only.
Monitor database query logs for anomalous SQL syntax, union-based queries, or unexpected authentication attempts.
Review and implement parameterized query patterns if custom code modifications are required.
Verify with Bulutses Information Technologies that version 3.0 has been successfully deployed and confirm the fix through vulnerability scanning.

Evidence notes

CVE published 2023-01-10; modified 2026-05-20. CPE criteria confirms affected product as cpe:2.3:a:bulutses:bulutdesk_callcenter:*:*:*:*:*:*:*:* with versionEndExcluding:3.0. Multiple Turkish government sources (USOM, siberguvenlik.gov.tr) corroborate advisory TR-22-0747. CVSS 9.8 Critical rating from NVD. CWE-89 classification confirmed by both USOM and NVD sources.

Official resources

CVE-2022-4422 CVE record
CVE.org
CVE-2022-4422 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory

2023-01-10