PatchSiren cyber security CVE debrief
CVE-2022-23650 Netmaker CVE debrief
CVE-2022-23650 is a high-severity Netmaker server issue involving a hard-coded cryptographic key in the code base. Per the advisory, an attacker who knows the admin address and username could use that key to run admin commands on a remote server. The issue affects the Netmaker server component, not clients, and the vendor states there are no known workarounds. Fixed releases are listed as v0.8.5, v0.9.4, and v0.10.0.
- Vendor
- Netmaker
- Product
- Unknown
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2022-02-18
- Original CVE updated
- 2026-05-18
- Advisory published
- 2022-02-18
- Advisory updated
- 2026-05-18
Who should care
Netmaker operators and administrators responsible for the server component, especially environments where administrative access details may be discoverable or exposed. Client-side Netmaker deployments are not the affected component per the supplied advisory.
Technical summary
The supplied sources describe a hard-coded cryptographic key embedded in Netmaker's code base. NVD classifies the issue as CWE-798 (Use of Hard-coded Credentials), while the GitHub advisory also lists CWE-321 (Use of Hard-coded Cryptographic Key). The impact is on the server (netmaker) component: if an attacker knows the admin address and username, they may be able to invoke admin commands remotely. The NVD CVSS vector is AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, reflecting network reachability, no user interaction, and high impact once the prerequisite privileges/knowledge are present.
Defensive priority
High. This can expose the Netmaker server to remote administrative abuse with high confidentiality, integrity, and availability impact, and the vendor notes no known workaround.
Recommended defensive actions
- Upgrade the Netmaker server component to the fixed release for your branch: v0.8.5, v0.9.4, or v0.10.0.
- Verify every deployed Netmaker server instance is on a non-vulnerable release; the advisory says the affected component is the server, not clients.
- Because the advisory lists no known workarounds, prioritize patching rather than relying on compensating controls alone.
- Review administrative access exposure and limit who can reach or learn the admin interface details until patching is complete.
Evidence notes
The CVE was published on 2022-02-18 and the NVD record was modified on 2026-05-18; those dates are used only as disclosure/timeline context. The supplied NVD record links to the Netmaker security advisory GHSA-86f3-hf24-76q4 and patch-related GitHub commits 3d4f44ecfe8be4ca38920556ba3b90502ffb4fee, e9bce264719f88c30e252ecc754d08f422f4c080, and 1bec97c662670dfdab804343fc42ae4b1d050a87. The record also supplies the CVSS vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H and weakness mappings CWE-798 and CWE-321.
Official resources
-
CVE-2022-23650 CVE record
CVE.org
-
CVE-2022-23650 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
CVE-2022-23650 was publicly published on 2022-02-18. The NVD record was later modified on 2026-05-18, but that is a record update date rather than the original vulnerability disclosure date.