Cyber Resilience

CVE-2023-40779

Medium

Published: 14 September 2023

Published
14 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.4052 97.5th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-40779 is a medium-severity Open Redirect (CWE-601) vulnerability in Icewarp Deep Castle G2. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-40779 is an open redirection issue, tracked under CWE-601, that affects IceWarp Mail Server Deep Castle 2 version 13.0.1.2. The vulnerability resides in the web client component and permits a remote attacker to supply a crafted request to a URL that triggers the flaw, resulting in a CVSS 6.1 rating driven by network attack vector, low complexity, and required user interaction.

An unauthenticated remote attacker can exploit the weakness by sending a maliciously formed URL to a victim user. Successful exploitation allows the attacker to redirect the user to an arbitrary destination under attacker control, which can be leveraged to facilitate phishing or further client-side attacks that ultimately lead to arbitrary code execution within the affected session.

Public references describe the flaw as an open redirection vulnerability in the IceWarp Webclient product and provide technical details on the request manipulation required for exploitation. No vendor advisory or patch information is included in the supplied references.

The EPSS score for this CVE has remained flat at its peak value of 0.4052 since disclosure, indicating no material increase in observed exploitation interest.

EU & UK References

Vulnerability details

An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

icewarp
deep castle g2
13.0.1.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References