CVE-2022-3337 MEDIUM

CVE-2022-3337: Lock WARP switch bypass by removing VPN profile on iOS mobile client

Vendor Cloudflare
Product WARP
Weakness CWE-862 · Missing authorization
Published October 28, 2022
Last update May 6, 2025

CVSS base score

6.7/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L

What the vulnerability does

01Description

It was possible for a user to delete a VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch  feature being enabled on Zero Trust Platform. This led to bypassing policies and restrictions enforced for enrolled devices by the Zero Trust platform.

Key dates

02Disclosure timeline

October 28, 2022 CVE published
May 6, 2025 Record updated

Related vulnerabilities

04Related CVE