CVE-2022-35508 affects Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) in the HTTP proxying logic between pve/pmgproxy and pve/pmgdaemon. A low-privileged authenticated user can craft requests to cluster-related API endpoints so that attacker-controlled path components influence the backend URL used for proxied requests, resulting in post-authentication server-side request forgery (SSRF). The issue was demonstrated against APIs including GET /api2/json/nodes/{node_name}/tasks/{upid}/log in PVE and a similar node/proxying path in PMG. The SSRF can then be chained into arbitrary file disclosure because the server trusts a pvestreamfile response header from the proxied response and passes its value to sysopen, causing the proxy worker to open and return local files from the server filesystem. The file read occurs in the pveproxy or pmgproxy worker context as uid 33 (www-data). In PMG, if the backup feature has been used, readable backup archives such as /var/lib/pmg/backup/pmg-backup_YYYY_MM_DD_*.tgz may contain the PMG authentication private key, enabling further compromise.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A post-auth SSRF vulnerability in Proxmox VE and Proxmox Mail Gateway that can be chained with arbitrary file read, and in PMG can lead to privilege escalation through exposure of authentication keys in backup files.
A post-auth SSRF vulnerability in Proxmox VE and Proxmox Mail Gateway that can be chained with arbitrary file read behavior; in PMG, the chain can lead to privilege escalation by exposing authentication keys from backup files.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.