Cyber Resilience

CVE-2023-22897

MediumPublic PoC

Published: 12 April 2023

Published
12 April 2023
Modified
10 February 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.8888 99.5th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22897 is a medium-severity Use of Uninitialized Resource (CWE-908) vulnerability in Securepoint Unified Threat Management. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-22897 is an information disclosure vulnerability affecting SecurePoint UTM versions prior to 12.2.5.1. The flaw resides in the firewall's /spcgi.cgi endpoint and stems from use of uninitialized resources (CWE-908), allowing an authenticated user to obtain a session identifier without actually using the session and thereby retrieve arbitrary memory contents.

An attacker with low-privileged network access can exploit the issue to leak sensitive data from process memory. The CVSS 6.5 vector reflects that the attack requires only valid credentials, has low complexity, and results in high confidentiality impact without affecting integrity or availability.

Public advisories and technical write-ups hosted on Packet Storm, Full Disclosure, and a detailed GitHub advisory document the flaw and confirm that the vendor addressed it in release 12.2.5.1. The associated EPSS score has remained consistently high near 0.89 since disclosure, indicating sustained exploitation interest.

EU & UK References

Vulnerability details

An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows information disclosure of memory contents to be achieved by an authenticated user. Essentially, uninitialized data can be retrieved via an approach in which a sessionid…

more

is obtained but not used.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

securepoint
unified threat management
12.2.3.1 — 12.2.5.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References