Cyber Resilience

CVE-2022-23269

Medium

Published: 09 February 2022

Published
09 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0049 66.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23269 is a medium-severity an unspecified weakness vulnerability in Microsoft Dynamics Gp. Its CVSS base score is 5.4 (Medium).

Operationally, ranked in the top 33.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Microsoft Dynamics GP contains a spoofing vulnerability tracked as CVE-2022-23269. The flaw affects the on-premises ERP application and carries a CVSS 3.1 score of 5.4, reflecting a network-accessible vector that requires low privileges and some user interaction but produces changed scope with limited confidentiality and integrity impact.

An authenticated attacker can craft specially formed requests that cause a victim user to perceive content or actions as originating from a trusted Dynamics GP component. Successful exploitation allows the attacker to perform limited spoofing actions that could lead to unauthorized disclosure or modification of data within the affected session.

Microsoft’s Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23269 details the affected builds and the patches that address the issue. The associated EPSS score remained low after disclosure but rose materially to a peak of 0.0762 on 2025-01-22 before receding, indicating a later surge in exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

Microsoft Dynamics GP Spoofing Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
dynamics gp
all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References