CVE-2022-35621: n/a in n/a
Access control vulnerability in Evoh NFT EvohClaimable contract with sha256 hash code fa2084d5abca91a62ed1d2f1cad3ec318e6a9a2d7f1510a00d898737b05f48ae allows remote attackers to execute fraudulent NFT transfers.
AI Analysis
Technical Summary
CVE-2022-35621 is an access control vulnerability identified in the Evoh NFT EvohClaimable smart contract, which is used for managing non-fungible tokens (NFTs). The vulnerability allows remote attackers to execute fraudulent NFT transfers without proper authorization. Specifically, the flaw lies in insufficient access control checks within the contract's logic, enabling unauthorized entities to transfer NFTs they do not own or control. The vulnerability is associated with CWE-284 (Improper Access Control), indicating that the contract fails to enforce correct permissions for critical operations. The CVSS v3.1 base score is 5.3 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). This means an attacker can remotely exploit the vulnerability without authentication or user interaction, causing unauthorized modification of NFT ownership records, potentially leading to fraudulent transfers and loss of asset control. Although no patches or vendor information are provided, the vulnerability's presence in a smart contract implies that affected deployments on blockchain networks could be exploited by adversaries to manipulate NFT ownership, undermining trust and value in affected NFT projects.
Potential Impact
For European organizations involved in NFT creation, trading, or custody, this vulnerability poses a significant risk to the integrity of their digital asset holdings. Fraudulent transfers could result in financial losses, reputational damage, and legal complications, especially under stringent EU regulations such as GDPR and the upcoming Digital Operational Resilience Act (DORA) that emphasize security and operational integrity. Organizations relying on the EvohClaimable contract or derivatives thereof may face unauthorized asset transfers, undermining customer trust and potentially causing cascading effects in marketplaces and secondary trading platforms. The lack of confidentiality impact reduces risk of data leakage, but the integrity compromise directly affects asset ownership and transactional trust. Given the decentralized and immutable nature of blockchain, remediation after exploitation can be challenging, emphasizing the importance of proactive mitigation. Additionally, the medium severity score suggests that while exploitation is feasible without privileges or user interaction, the impact is limited to integrity and does not affect availability or confidentiality.
Mitigation Recommendations
European organizations should first identify whether they utilize the EvohClaimable contract or any derivative smart contracts containing this vulnerability. Since no official patches are listed, organizations should consider redeploying updated smart contracts with corrected access control logic, ensuring that only authorized parties can initiate NFT transfers. Implementing multi-signature wallets or role-based access control within smart contracts can add layers of security. Regular smart contract audits by reputable security firms are recommended to detect similar vulnerabilities. Monitoring blockchain transactions for anomalous NFT transfers can help detect exploitation attempts early. Organizations should also educate users about potential risks and establish incident response plans specific to blockchain asset compromise. Where possible, migrating NFTs to more secure contract implementations or platforms with proven security track records can reduce exposure. Finally, engaging with the broader blockchain community to share threat intelligence and mitigation strategies can improve collective defense.
Affected Countries
Germany, France, Netherlands, Switzerland, United Kingdom, Estonia
CVE-2022-35621: n/a in n/a
Description
Access control vulnerability in Evoh NFT EvohClaimable contract with sha256 hash code fa2084d5abca91a62ed1d2f1cad3ec318e6a9a2d7f1510a00d898737b05f48ae allows remote attackers to execute fraudulent NFT transfers.
AI-Powered Analysis
Technical Analysis
CVE-2022-35621 is an access control vulnerability identified in the Evoh NFT EvohClaimable smart contract, which is used for managing non-fungible tokens (NFTs). The vulnerability allows remote attackers to execute fraudulent NFT transfers without proper authorization. Specifically, the flaw lies in insufficient access control checks within the contract's logic, enabling unauthorized entities to transfer NFTs they do not own or control. The vulnerability is associated with CWE-284 (Improper Access Control), indicating that the contract fails to enforce correct permissions for critical operations. The CVSS v3.1 base score is 5.3 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). This means an attacker can remotely exploit the vulnerability without authentication or user interaction, causing unauthorized modification of NFT ownership records, potentially leading to fraudulent transfers and loss of asset control. Although no patches or vendor information are provided, the vulnerability's presence in a smart contract implies that affected deployments on blockchain networks could be exploited by adversaries to manipulate NFT ownership, undermining trust and value in affected NFT projects.
Potential Impact
For European organizations involved in NFT creation, trading, or custody, this vulnerability poses a significant risk to the integrity of their digital asset holdings. Fraudulent transfers could result in financial losses, reputational damage, and legal complications, especially under stringent EU regulations such as GDPR and the upcoming Digital Operational Resilience Act (DORA) that emphasize security and operational integrity. Organizations relying on the EvohClaimable contract or derivatives thereof may face unauthorized asset transfers, undermining customer trust and potentially causing cascading effects in marketplaces and secondary trading platforms. The lack of confidentiality impact reduces risk of data leakage, but the integrity compromise directly affects asset ownership and transactional trust. Given the decentralized and immutable nature of blockchain, remediation after exploitation can be challenging, emphasizing the importance of proactive mitigation. Additionally, the medium severity score suggests that while exploitation is feasible without privileges or user interaction, the impact is limited to integrity and does not affect availability or confidentiality.
Mitigation Recommendations
European organizations should first identify whether they utilize the EvohClaimable contract or any derivative smart contracts containing this vulnerability. Since no official patches are listed, organizations should consider redeploying updated smart contracts with corrected access control logic, ensuring that only authorized parties can initiate NFT transfers. Implementing multi-signature wallets or role-based access control within smart contracts can add layers of security. Regular smart contract audits by reputable security firms are recommended to detect similar vulnerabilities. Monitoring blockchain transactions for anomalous NFT transfers can help detect exploitation attempts early. Organizations should also educate users about potential risks and establish incident response plans specific to blockchain asset compromise. Where possible, migrating NFTs to more secure contract implementations or platforms with proven security track records can reduce exposure. Finally, engaging with the broader blockchain community to share threat intelligence and mitigation strategies can improve collective defense.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-07-11T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68371a22182aa0cae24f8aee
Added to database: 5/28/2025, 2:13:54 PM
Last enriched: 7/7/2025, 9:13:03 AM
Last updated: 8/16/2025, 12:59:41 AM
Views: 17
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.