CVE-2022-41400 – Sage 300 uses a hard-coded encryption key to pr... (How to Fix)

Q: What is the severity of CVE-2022-41400?

CVE-2022-41400 has a CVSS score of 9.8 (CRITICAL). Sage 300 uses a hard-coded encryption key to protect sensitive data like passwords and SQL connection strings. Attackers who gain access to the encrypted database files can decrypt this information. All Sage 300 installations through 2022 are affected.

📋 TL;DR

Sage 300 uses a hard-coded encryption key to protect sensitive data like passwords and SQL connection strings. Attackers who gain access to the encrypted database files can decrypt this information. All Sage 300 installations through 2022 are affected.

💻 Affected Systems

Products:

Sage 300

Versions: All versions through 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration where ISAM database files with encrypted data are stored in shared data directory.

📦 What is this software?

Sage 300 by Sage

View all CVEs affecting Sage 300 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Sage 300 environment including database credentials, user passwords, and potential lateral movement to connected systems.

🟠

Likely Case

Attackers with access to shared data directory decrypt stored credentials and gain unauthorized access to Sage 300 and connected databases.

🟢

If Mitigated

Limited impact if proper access controls prevent unauthorized access to the shared data directory containing encrypted files.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to encrypted database files, but decryption is trivial once files are obtained due to hard-coded key.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Sage 300 2023 or later

Vendor Advisory: https://www.sage.com/en-ca/products/sage-300/

Restart Required: Yes

Instructions:

1. Upgrade to Sage 300 2023 or later. 2. Follow Sage's migration guide. 3. Restart Sage 300 services. 4. Change all passwords and database credentials that were previously stored.

🔧 Temporary Workarounds

Restrict access to shared data directory

windows

Apply strict file system permissions to prevent unauthorized access to ISAM database files.

icacls "C:\ProgramData\Sage\Sage 300\Shared Data" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F" /grant:r "SageServiceAccount:(OI)(CI)RX"

🧯 If You Can't Patch

Implement network segmentation to isolate Sage 300 servers from other critical systems.
Monitor access to shared data directory and alert on unauthorized file access attempts.

🔍 How to Verify

Check if Vulnerable:

Check Sage 300 version - if 2022 or earlier, vulnerable. Also check if ISAM database files exist in shared data directory with weak permissions.

Check Version:

Check Help > About in Sage 300 application or review installation directory version information.

Verify Fix Applied:

Verify Sage 300 version is 2023 or later and confirm new encryption implementation is in use.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to shared data directory
Multiple failed authentication attempts followed by successful access

Network Indicators:

Unusual database connections from Sage 300 server
Lateral movement attempts from Sage 300 server

SIEM Query:

source="windows-security" EventCode=4663 ObjectName="*Sage 300*Shared Data*" AND NOT SubjectUserName IN ("SYSTEM", "Administrator", "SageServiceAccount")

📊 Metadata

CVE ID: CVE-2022-41400

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: April 28, 2023

Last Updated: January 30, 2025

🔗 References

https://www.sage.com/en-ca/products/sage-300/ Product
https://www.sage.com/en-ca/products/sage-300/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-41400, you might also want to check these: