CVE-2022-23269
Published: 09 February 2022
Summary
CVE-2022-23269 is a medium-severity an unspecified weakness vulnerability in Microsoft Dynamics Gp. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 33.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Microsoft Dynamics GP contains a spoofing vulnerability tracked as CVE-2022-23269. The flaw affects the on-premises ERP application and carries a CVSS 3.1 score of 5.4, reflecting a network-accessible vector that requires low privileges and some user interaction but produces changed scope with limited confidentiality and integrity impact.
An authenticated attacker can craft specially formed requests that cause a victim user to perceive content or actions as originating from a trusted Dynamics GP component. Successful exploitation allows the attacker to perform limited spoofing actions that could lead to unauthorized disclosure or modification of data within the affected session.
Microsoft’s Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23269 details the affected builds and the patches that address the issue. The associated EPSS score remained low after disclosure but rose materially to a peak of 0.0762 on 2025-01-22 before receding, indicating a later surge in exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-28355
Vulnerability details
Microsoft Dynamics GP Spoofing Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.