cbcvebase.
CVE-2023-22897
published 2023-04-12

CVE-2023-22897: An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows information disclosure of memory contents to be…

PriorityP274medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.07%
89.4th percentile
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows information disclosure of memory contents to be achieved by an authenticated user. Essentially, uninitialized data can be retrieved via an approach in which a sessionid is obtained but not used.

Affected

1 ranges
VendorProductVersion rangeFixed in
securepointunified_threat_management>= 12.2.3.1 < 12.2.5.112.2.5.1

Detection & IOCsextracted from sources · hover to see the quote

path/spcgi.cgi
urlPOST /spcgi.cgi HTTP/1.1
othertitle:"Securepoint UTM"
othertitle="securepoint utm"
otherintitle:"securepoint utm"
  • Send a POST request with an empty JSON body ({}) to /spcgi.cgi; a vulnerable response will contain both '"sessionid":' and '"mode":' fields in the JSON body with HTTP 200 and Content-Type: application/json — indicating uninitialized memory is being leaked.
  • The exploit technique involves obtaining a sessionid from /spcgi.cgi but deliberately not using it, causing uninitialized memory data to be returned in the response.
  • Hunt for exposed Securepoint UTM login pages using Shodan query: title:"Securepoint UTM" or http.title:"securepoint utm" to identify potentially vulnerable internet-facing instances.
  • ·Exploitation requires an authenticated user session; the vulnerability is not unauthenticated, though the memory leak occurs when a sessionid is obtained but not subsequently used.
  • ·Affected versions are SecurePoint UTM before 12.2.5.1; systems running 12.2.5.1 or later are patched.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.