Cyber Resilience

CVE-2023-22620

HighPublic PoC

Published: 12 April 2023

Published
12 April 2023
Modified
10 February 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8289 99.3th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22620 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Securepoint Unified Threat Management. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-22620 affects SecurePoint UTM firewalls prior to version 12.2.5.1. The flaw resides in the /spcgi.cgi endpoint, which discloses valid session identifiers when presented with an invalid authentication attempt. The disclosed sessionid can subsequently be reused to reach the device's administrative interface without further credentials. The issue is tracked under CWE-863 and carries a CVSS 3.1 score of 7.5.

An unauthenticated remote attacker can trigger the disclosure by sending a crafted request to the exposed endpoint. Successful capture of the session identifier grants full administrative access, allowing arbitrary configuration changes, policy manipulation, and potential lateral movement within the protected network. Exploitation requires user interaction and non-trivial attack complexity, yet remains feasible over the network without prior authentication.

Public advisories and proof-of-concept material published on Packet Storm, Full Disclosure, and GitHub document the session-identifier leak and confirm that the vendor addressed the issue in release 12.2.5.1. Administrators are therefore advised to apply that update to eliminate the disclosure vector.

The associated EPSS score reached a peak of 0.8886 and currently stands at 0.8289, indicating that exploitation interest increased measurably after public disclosure.

EU & UK References

Vulnerability details

An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

securepoint
unified threat management
12.2.3.1 — 12.2.5.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-863

Periodic review and update of procedures reduces incorrect authorization implementations over time.

addresses: CWE-863

Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.

addresses: CWE-863

Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.

addresses: CWE-863

The authorization process and usage restrictions help prevent incorrect authorization for remote access types.

addresses: CWE-863

Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.

addresses: CWE-863

Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.

addresses: CWE-863

Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.

addresses: CWE-863

Ensures authorization decisions for external system use are correctly implemented and enforced.

References