Security Experts:

Connect with us

Hi, what are you looking for?



Exploitation of Bitrix CMS Vulnerability Drives ICS Attack Surge in Russia

Kaspersky has seen a surge in attacks on ICS computers in Russia and blames it on the exploitation of a Bitrix CMS vulnerability tracked as CVE-2022-27228.

Kaspersky has seen a surge in attacks on industrial control system (ICS) computers in Russia and neighboring countries, and the company has linked it to increased exploitation of a vulnerability affecting a content management system (CMS).

The cybersecurity firm on Monday published its latest ICS threat landscape report, which focuses on the second half of 2022. The company said it had blocked threats on 40.6% of the global devices protected by its products in 2022, a slight increase compared to 2021 (39.6%) and 2020 (38.6%). 

These devices include HMIs, SCADA systems, historians, data gateways, engineering workstations, computers used for the administration of industrial networks, and devices used to develop software for industrial systems.

However, the most significant increase in H2 2022 was seen in Russia, where attacks increased by nine percentage points, with 39.2% of the ICS computers in the country being targeted.

Learn More About ICS Threats at SecurityWeek’s ICS Cyber Security Conference

According to Kaspersky, this surge is driven by a significant increase in the percentage of ICS devices on which its products blocked malicious scripts and phishing pages.

“The sudden surge in the percentage of ICS computers on which malicious scripts and phishing pages were blocked in August and September 2022, as well as the high figures in the following months, were due to mass infections of websites (including those of industrial organizations) that use the Bitrix CMS,” Kaspersky explained. “It should be noted that ICS computers from which arbitrary websites can be accessed are mostly ICS operator or engineering workstations.”

The exploited vulnerability, tracked as CVE-2022-27228, affects the ‘Polls, Votes’ module of the Bitrix Site Manager application. The security hole allows a remote, unauthenticated attacker to execute arbitrary code.  

Bitrix24 announced patches for the vulnerability in March 2022. A researcher from Russian cybersecurity firm Positive Technologies was credited at the time for finding the flaw. 

SecurityWeek has not found any previous reports mentioning malicious exploitation of CVE-2022-27228.

In addition to Russia, ICS computers in countries such as Belarus, Kyrgyzstan, Uzbekistan and Kazakhstan have been increasingly targeted with malicious scripts and phishing pages as a result of CVE-2022-27228 exploitation against websites powered by the Bitrix CMS.

This is not surprising considering that the impacted Bitrix product has the largest market share in Russia and neighboring countries. 

“[The increase in attacks] was largely due to a surge in the activity of potentially dangerous advertising platforms that are often used to spread malware disguised as advertising displayed on various web resources,” Kaspersky said.

It appears that CVE-2022-27228 exploitation is opportunistic and Russia is significantly impacted because the Bitrix product is widely used in the country, rather than someone specifically exploiting the vulnerability to target Russia. 

Related: Spyware, Ransomware, Cryptojacking Malware Increasingly Detected on ICS Devices

Related: Siemens Drives Rise in ICS Vulnerabilities Discovered in 2022

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...