CVE-2023-40779
Published: 14 September 2023
Summary
CVE-2023-40779 is a medium-severity Open Redirect (CWE-601) vulnerability in Icewarp Deep Castle G2. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-40779 is an open redirection issue, tracked under CWE-601, that affects IceWarp Mail Server Deep Castle 2 version 13.0.1.2. The vulnerability resides in the web client component and permits a remote attacker to supply a crafted request to a URL that triggers the flaw, resulting in a CVSS 6.1 rating driven by network attack vector, low complexity, and required user interaction.
An unauthenticated remote attacker can exploit the weakness by sending a maliciously formed URL to a victim user. Successful exploitation allows the attacker to redirect the user to an arbitrary destination under attacker control, which can be leveraged to facilitate phishing or further client-side attacks that ultimately lead to arbitrary code execution within the affected session.
Public references describe the flaw as an open redirection vulnerability in the IceWarp Webclient product and provide technical details on the request manipulation required for exploitation. No vendor advisory or patch information is included in the supplied references.
The EPSS score for this CVE has remained flat at its peak value of 0.4052 since disclosure, indicating no material increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-45331
Vulnerability details
An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.