CVE-2022-45167 is a medium-severity vulnerability identified in Archibus Web Central version 2022.03.01.107. Archibus Web Central is a widely used integrated workplace management system (IWMS) that organizations deploy to manage real estate, infrastructure, and facilities. The vulnerability arises from a service exposed by the application that improperly restricts access controls, allowing a basic authenticated user to retrieve profile information of all connected users. This constitutes an information disclosure vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 4.3, reflecting low attack complexity (no special conditions required), network attack vector (remote exploitation possible), no user interaction, and requiring low privileges (basic user authentication). The impact is limited to confidentiality as the attacker can only access profile information, without affecting integrity or availability. No known exploits are reported in the wild, and no patches or vendor advisories are currently linked. The lack of detailed product and version information beyond the stated version limits precise scope assessment, but the vulnerability affects at least the specified Archibus Web Central release. This issue could allow an attacker to gather sensitive user metadata such as usernames, roles, contact details, or other profile attributes, potentially aiding in further targeted attacks or social engineering campaigns within the organization.

For European organizations using Archibus Web Central, this vulnerability poses a risk to user privacy and internal security posture. Disclosure of user profile information can facilitate reconnaissance by malicious actors, enabling them to identify privileged users or system administrators and craft targeted phishing or credential-based attacks. Although the vulnerability does not allow direct system compromise or data modification, the exposure of user metadata can be a stepping stone for lateral movement or privilege escalation attempts. Organizations in sectors with strict data protection regulations, such as GDPR, may face compliance risks if personal data is exposed without adequate controls. Facilities management and real estate firms, universities, government agencies, and large enterprises in Europe that rely on Archibus for workplace management are particularly at risk. The impact is more significant in environments where user profiles contain sensitive personal or organizational information. However, since exploitation requires at least basic user authentication, the threat is mitigated somewhat by internal access controls and network segmentation.

To mitigate this vulnerability, European organizations should first verify if they are running the affected Archibus Web Central version 2022.03.01.107 or similar releases. In the absence of an official patch, immediate steps include restricting access to the Archibus Web Central application to trusted internal networks and enforcing strong authentication mechanisms to limit basic user accounts. Conduct a thorough review of user roles and permissions to ensure minimal privilege principles are applied, reducing the number of users who can authenticate with basic privileges. Implement network segmentation and firewall rules to limit exposure of the application to only necessary users. Monitor application logs for unusual access patterns or attempts to enumerate user profiles. Engage with the vendor or software provider to obtain updates or patches addressing this vulnerability. Additionally, consider deploying Web Application Firewalls (WAF) with custom rules to detect and block suspicious requests targeting the vulnerable service endpoints. Finally, conduct user awareness training to mitigate risks from potential phishing attacks that could leverage disclosed user information.