CVE-2022-4991: Tychon OpenSSL Privilege Escalation Vulnerability
Tychon, a Windows application, contains a vulnerability in how it configures OpenSSL. An unprivileged user can place a malicious configuration file in a location that Tychon's privileged service will read, potentially allowing that user to execute arbitrary code with SYSTEM-level privileges. This is a local privilege escalation vulnerability that requires an attacker to have filesystem write access to a specific directory on the target system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.4 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- —
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that may be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2022-4991 stems from improper handling of the OPENSSLDIR variable within Tychon's bundled OpenSSL component. The vulnerability arises because OPENSSLDIR is configured to reference a subdirectory that may be writable by unprivileged users on Windows systems. When Tychon's privileged service (running under SYSTEM context) initializes OpenSSL, it loads configuration from openssl.cnf at a predictable path. An attacker who controls write access to this directory can craft a malicious openssl.cnf file to execute arbitrary code when the service loads the configuration. The CVSS 3.1 vector (7.4 HIGH) reflects the requirement for local access and the complexity of crafting a suitable configuration payload, but acknowledges the severe impact of code execution at SYSTEM privilege level.
Business impact
Successful exploitation enables complete system compromise by an authenticated local user, potentially leading to data theft, lateral movement within the network, installation of persistent backdoors, or denial of service. Organizations running Tychon on Windows systems must assume that any local user account—including service accounts with minimal privileges—could escalate to administrative control. This is particularly concerning in shared or multi-user environments, and in systems where Tychon runs as a privileged service handling sensitive operations.
Affected systems
Tychon on Windows platforms is affected. The vulnerability requires an unprivileged user to have filesystem write access to the directory specified by OPENSSLDIR within Tychon's OpenSSL configuration. Verify the specific Tychon versions impacted and patch availability from the vendor advisory, as version information is not specified in the initial disclosure.
Exploitability
Exploitation requires local system access and the ability to write files to the OPENSSLDIR location. It is not remotely exploitable over a network. However, the attack surface is broad in environments where Tychon is deployed on systems accessible to multiple user accounts, or where local privilege escalation is a known attack chain. The complexity rating reflects the need to craft a valid openssl.cnf payload, but this is straightforward for an attacker with basic understanding of OpenSSL configuration syntax. The vulnerability is not currently tracked on CISA's Known Exploited Vulnerabilities list.
Remediation
Apply the security patch from the Tychon vendor as soon as it becomes available. The fix should address either the incorrect OPENSSLDIR path specification or the privilege model of the vulnerable service. In the interim, restrict write permissions on the OPENSSLDIR-related directories to only SYSTEM and trusted administrative accounts. Review local user accounts and access controls to limit the number of users who can write to sensitive filesystem locations.
Patch guidance
Consult the Tychon vendor advisory for the specific patched version number and deployment procedures. Apply patches to all Windows systems running Tychon, prioritizing those in multi-user environments or where the service handles sensitive data. After patching, verify that OpenSSL configuration paths are no longer world-writable or user-writable, and confirm that the service restarts cleanly with the updated binaries.
Detection guidance
Monitor for suspicious modifications to openssl.cnf files in Tychon's installation directory or related OpenSSL configuration paths. Alert on any attempt by unprivileged processes to write to these locations. Check Windows event logs for unusual service restarts or SYSTEM-privilege code execution initiated from atypical locations. Use filesystem integrity monitoring to detect unauthorized changes to OpenSSL configuration files. Endpoint Detection and Response (EDR) tools should flag attempts to place specially-crafted configuration files in predictable OpenSSL directories.
Why prioritize this
Although not yet on the KEV list and requiring local access, this vulnerability merits rapid patching due to its HIGH CVSS score, the universal availability of local access in multi-user systems, and the severe impact of SYSTEM-level code execution. Organizations should treat this as a high-priority remediation target, particularly for systems in sensitive environments or those handling privileged operations.
Risk score, explained
The CVSS 3.1 score of 7.4 (HIGH) reflects a vulnerability that demands either local access or a pre-existing foothold, yet delivers critical impact—arbitrary code execution at the highest Windows privilege level. The attack complexity is rated as high due to the need to craft a valid OpenSSL configuration, but this should not be misinterpreted as difficult; the rating reflects the technical steps required, not the likelihood that an attacker will succeed once local access is obtained.
Frequently asked questions
Can this vulnerability be exploited remotely over the network?
No. CVE-2022-4991 requires local filesystem write access to a specific directory. An attacker must have either a user account on the affected Windows system or have already achieved some level of local code execution. It is not remotely exploitable.
What is the impact if an attacker successfully exploits this vulnerability?
The attacker gains arbitrary code execution with SYSTEM privileges, the highest privilege level in Windows. This enables complete system compromise, including theft of sensitive data, installation of malware, lateral movement to other systems, and denial of service.
Is there a workaround if I cannot patch immediately?
Restrict write permissions on the OpenSSL configuration directories to SYSTEM and trusted administrative accounts only. This prevents unprivileged users from placing malicious openssl.cnf files. However, this is a temporary control and should not delay patch deployment.
Does the CVSS score of 7.4 reflect the actual risk I face?
The score is context-dependent. In single-user systems or those with strict access controls, the risk is lower. In shared or multi-user environments, the risk is substantial. The HIGH rating appropriately reflects the severity of SYSTEM-level code execution and should inform your patching priority.
This analysis is provided for informational purposes and is based on available disclosure data as of the publication date. Vendor product and version information is not exhaustively detailed in the source disclosure; verify affected versions and patch availability directly from the Tychon vendor advisory. CVSS scores and severity ratings are as published by the National Vulnerability Database (NVD) and represent a general risk model; your organization's actual risk depends on deployment context, access controls, and remediation timeline. No exploit code or weaponized proof-of-concept is provided in this analysis. This vulnerability has not been added to CISA's Known Exploited Vulnerabilities list as of the analysis date. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25391HIGHHaPe PKH 1.1 Authorization Bypass – Unauthorized Record Deletion Vulnerability