cbcvebase.
CVE-2023-22620
published 2023-04-12

CVE-2023-22620: An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid…

PriorityP180high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.89%
88.9th percentile
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.

Affected

1 ranges
VendorProductVersion rangeFixed in
securepointunified_threat_management>= 12.2.3.1 < 12.2.5.112.2.5.1

Detection & IOCsextracted from sources · hover to see the quote

path/spcgi.cgi
commandPOST /spcgi.cgi HTTP/1.1 Content-Type: application/json; charset=UTF-8 {"module":"auth","command":["login"],"sessionid":"","arguments":{"user":"","pass":""}}
commandPOST /spcgi.cgi HTTP/1.1 Content-Type: application/json; charset=UTF-8 {"module":"system","command":["config","get"],"sessionid":"{{session}}"}
yara
regex: '"sessionid": "([a-z0-9]+)"'
  • Monitor for POST requests to /spcgi.cgi with an empty 'sessionid', 'user', and 'pass' in the JSON body — this is the first stage of the exploit that triggers session ID disclosure.
  • Detect a follow-up POST to /spcgi.cgi with module 'system' and command 'config get' using a sessionid obtained from the prior unauthenticated request — this indicates authentication bypass.
  • A JSON response containing '"status":"OK"' from /spcgi.cgi following an unauthenticated login attempt confirms successful authentication bypass.
  • Use Shodan/FOFA queries to identify exposed SecurePoint UTM instances: Shodan title:"Securepoint UTM", FOFA title="securepoint utm", Google intitle:"securepoint utm".
  • ·The vulnerability affects SecurePoint UTM versions before 12.2.5.1 only; patched versions are not susceptible.
  • ·The exploit is a two-step process: first an invalid authentication attempt leaks a sessionid, then that sessionid is reused to access the administrative interface — single-request detections will miss the full attack chain.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.