cbcvebase.
CVE-2023-7308
published 2025-08-27

CVE-2023-7308: SecGate3600, a network firewall product developed by NSFOCUS, contains a sensitive information disclosure vulnerability in the…

PriorityP279high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
6.71%
93.1th percentile
SecGate3600, a network firewall product developed by NSFOCUS, contains a sensitive information disclosure vulnerability in the /cgi-bin/authUser/authManageSet.cgi endpoint. The affected component fails to enforce authentication checks on POST requests to retrieve user data. An unauthenticated remote attacker can exploit this flaw to obtain sensitive information, including user identifiers and configuration details, by sending crafted requests to the vulnerable endpoint. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-18 UTC.

Affected

1 ranges
VendorProductVersion rangeFixed in
nsfocussecgate3600_firewall

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/authUser/authManageSet.cgi
commandtype=getAllUsers
urlhttps://github.com/jjjj1029056414/selfpoc/blob/main/wangshen-SecGate3600-information-leakage.py
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wangshen authManageSet.cgi type Parameter Information Leak Attempt (CVE-2023-7308)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:35; content:"/cgi-bin/authUser/authManageSet.cgi"; fast_pattern; http.request_body; content:"type|3d|getAllUsers"; reference:url,github.com/jjjj1029056414/selfpoc/blob/main/wangshen-SecGate3600-information-leakage.py; reference:cve,2023-7308; classtype:attempted-recon; sid:2064200; rev:1; metadata:affected_product Wangshen, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_08_28, cve CVE_2023_7308, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_08_28, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1018, mitre_technique_name Remote_System_Discovery; target:dest_ip;)
  • Detect unauthenticated POST requests to /cgi-bin/authUser/authManageSet.cgi with a request body containing 'type=getAllUsers' (URL-encoded as type|3d|getAllUsers). The URI length is exactly 35 bytes.
  • The vulnerability is exploitable without authentication — no session cookie or credential is required. Alert on any POST to the endpoint regardless of authentication headers.
  • Active exploitation was first observed by the Shadowserver Foundation on 2024-06-18 UTC; treat traffic to this endpoint from that date onward as high-confidence exploitation attempts.
  • Traffic is expected in plaintext (non-TLS); focus network monitoring on unencrypted HTTP sessions targeting perimeter and internal Wangshen SecGate3600 devices.
  • MITRE mapping: TA0007 (Discovery) / T1018 (Remote System Discovery). Correlate with other reconnaissance activity from the same source IP.
  • ·The affected version range for NSFOCUS SecGate3600 is undefined; all deployed versions should be treated as potentially vulnerable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.