CVE-2022-35621 is an access control vulnerability identified in the Evoh NFT EvohClaimable smart contract, which is used for managing non-fungible tokens (NFTs). The vulnerability allows remote attackers to execute fraudulent NFT transfers without proper authorization. Specifically, the flaw lies in insufficient access control checks within the contract's logic, enabling unauthorized entities to transfer NFTs they do not own or control. The vulnerability is associated with CWE-284 (Improper Access Control), indicating that the contract fails to enforce correct permissions for critical operations. The CVSS v3.1 base score is 5.3 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). This means an attacker can remotely exploit the vulnerability without authentication or user interaction, causing unauthorized modification of NFT ownership records, potentially leading to fraudulent transfers and loss of asset control. Although no patches or vendor information are provided, the vulnerability's presence in a smart contract implies that affected deployments on blockchain networks could be exploited by adversaries to manipulate NFT ownership, undermining trust and value in affected NFT projects.

For European organizations involved in NFT creation, trading, or custody, this vulnerability poses a significant risk to the integrity of their digital asset holdings. Fraudulent transfers could result in financial losses, reputational damage, and legal complications, especially under stringent EU regulations such as GDPR and the upcoming Digital Operational Resilience Act (DORA) that emphasize security and operational integrity. Organizations relying on the EvohClaimable contract or derivatives thereof may face unauthorized asset transfers, undermining customer trust and potentially causing cascading effects in marketplaces and secondary trading platforms. The lack of confidentiality impact reduces risk of data leakage, but the integrity compromise directly affects asset ownership and transactional trust. Given the decentralized and immutable nature of blockchain, remediation after exploitation can be challenging, emphasizing the importance of proactive mitigation. Additionally, the medium severity score suggests that while exploitation is feasible without privileges or user interaction, the impact is limited to integrity and does not affect availability or confidentiality.

European organizations should first identify whether they utilize the EvohClaimable contract or any derivative smart contracts containing this vulnerability. Since no official patches are listed, organizations should consider redeploying updated smart contracts with corrected access control logic, ensuring that only authorized parties can initiate NFT transfers. Implementing multi-signature wallets or role-based access control within smart contracts can add layers of security. Regular smart contract audits by reputable security firms are recommended to detect similar vulnerabilities. Monitoring blockchain transactions for anomalous NFT transfers can help detect exploitation attempts early. Organizations should also educate users about potential risks and establish incident response plans specific to blockchain asset compromise. Where possible, migrating NFTs to more secure contract implementations or platforms with proven security track records can reduce exposure. Finally, engaging with the broader blockchain community to share threat intelligence and mitigation strategies can improve collective defense.