CVE-2023-22620 – This vulnerability in SecurePoint UTM firewalls... (How to Fix)

Q: What is the severity of CVE-2023-22620?

CVE-2023-22620 has a CVSS score of 7.5 (HIGH). This vulnerability in SecurePoint UTM firewalls allows attackers to obtain valid session IDs through invalid authentication attempts. These stolen session IDs can then be used to bypass authentication and gain administrative access to the device. Organizations running affected SecurePoint UTM versions are at risk.

📋 TL;DR

This vulnerability in SecurePoint UTM firewalls allows attackers to obtain valid session IDs through invalid authentication attempts. These stolen session IDs can then be used to bypass authentication and gain administrative access to the device. Organizations running affected SecurePoint UTM versions are at risk.

💻 Affected Systems

Products:

SecurePoint UTM

Versions: All versions before 12.2.5.1

Operating Systems: SecurePoint's custom OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface endpoint /spcgi.cgi. All default configurations are vulnerable.

📦 What is this software?

Unified Threat Management by Securepoint

View all CVEs affecting Unified Threat Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full administrative compromise of the firewall, allowing attackers to reconfigure network security, intercept traffic, disable security controls, and use the device as a foothold for lateral movement.

🟠

Likely Case

Unauthorized administrative access leading to firewall configuration changes, network policy manipulation, and potential data interception.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring in place to detect unauthorized access attempts.

🌐 Internet-Facing: HIGH - Firewalls are typically internet-facing, and this vulnerability allows unauthenticated attackers to potentially gain administrative access.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted requests to the vulnerable endpoint. Public proof-of-concept code is available in the referenced advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.2.5.1

Vendor Advisory: https://rcesecurity.com

Restart Required: Yes

Instructions:

1. Log into SecurePoint UTM admin interface. 2. Navigate to System > Update. 3. Check for available updates. 4. Apply update to version 12.2.5.1 or later. 5. Reboot the device as prompted.

🔧 Temporary Workarounds

Restrict Access to Management Interface

all

Limit network access to the firewall's management interface to trusted IP addresses only.

Configure firewall rules to restrict access to port 443/TCP (HTTPS) and port 80/TCP (HTTP) to specific management IP ranges.

Disable Unnecessary Web Interface

linux

If CLI management is sufficient, disable the web management interface.

Use SSH/CLI to disable web interface: system disable-webgui

🧯 If You Can't Patch

Implement strict network segmentation to isolate firewall management interface from untrusted networks
Enable multi-factor authentication if supported and monitor authentication logs for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check current version via web interface (System > Status) or CLI command 'show version'. If version is below 12.2.5.1, the system is vulnerable.

Check Version:

show version

Verify Fix Applied:

After patching, verify version is 12.2.5.1 or higher. Test authentication attempts to /spcgi.cgi endpoint to ensure session IDs are no longer leaked.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts to /spcgi.cgi followed by successful authentication with different session IDs
Administrative access from unusual IP addresses or outside maintenance windows

Network Indicators:

Unusual HTTP requests to /spcgi.cgi endpoint with authentication parameters
Traffic patterns suggesting session hijacking

SIEM Query:

source="securepoint-utm" AND (uri_path="/spcgi.cgi" AND (http_status=401 OR http_status=200)) | stats count by src_ip, session_id

📊 Metadata

CVE ID: CVE-2023-22620

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: April 12, 2023

Last Updated: February 10, 2025

🔗 References

http://packetstormsecurity.com/files/171924/SecurePoint-UTM-12.x-Session-ID-Leak.html Exploit,Third Party Advisory
http://seclists.org/fulldisclosure/2023/Apr/7 Exploit,Mailing List,Third Party Advisory
https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2023-22620.txt Exploit,Third Party Advisory
https://rcesecurity.com Not Applicable
http://packetstormsecurity.com/files/171924/SecurePoint-UTM-12.x-Session-ID-Leak.html Exploit,Third Party Advisory
http://seclists.org/fulldisclosure/2023/Apr/7 Exploit,Mailing List,Third Party Advisory
https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2023-22620.txt Exploit,Third Party Advisory
https://rcesecurity.com Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22620, you might also want to check these: