CVE-2023-22620
Published: 12 April 2023
Summary
CVE-2023-22620 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Securepoint Unified Threat Management. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-22620 affects SecurePoint UTM firewalls prior to version 12.2.5.1. The flaw resides in the /spcgi.cgi endpoint, which discloses valid session identifiers when presented with an invalid authentication attempt. The disclosed sessionid can subsequently be reused to reach the device's administrative interface without further credentials. The issue is tracked under CWE-863 and carries a CVSS 3.1 score of 7.5.
An unauthenticated remote attacker can trigger the disclosure by sending a crafted request to the exposed endpoint. Successful capture of the session identifier grants full administrative access, allowing arbitrary configuration changes, policy manipulation, and potential lateral movement within the protected network. Exploitation requires user interaction and non-trivial attack complexity, yet remains feasible over the network without prior authentication.
Public advisories and proof-of-concept material published on Packet Storm, Full Disclosure, and GitHub document the session-identifier leak and confirm that the vendor addressed the issue in release 12.2.5.1. Administrators are therefore advised to apply that update to eliminate the disclosure vector.
The associated EPSS score reached a peak of 0.8886 and currently stands at 0.8289, indicating that exploitation interest increased measurably after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-26756
Vulnerability details
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Periodic review and update of procedures reduces incorrect authorization implementations over time.
Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
The authorization process and usage restrictions help prevent incorrect authorization for remote access types.
Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.
Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.
Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.
Ensures authorization decisions for external system use are correctly implemented and enforced.