CVE-2023-40260 – CVE-2023-40260 allows attackers to bypass multi... (How to Fix)

Q: What is the severity of CVE-2023-40260?

CVE-2023-40260 has a CVSS score of 9.1 (CRITICAL). CVE-2023-40260 allows attackers to bypass multi-factor authentication in EmpowerID by using stolen credentials to change account email addresses. This vulnerability affects EmpowerID deployments before version 7.205.0.1, potentially enabling account takeover.

📋 TL;DR

CVE-2023-40260 allows attackers to bypass multi-factor authentication in EmpowerID by using stolen credentials to change account email addresses. This vulnerability affects EmpowerID deployments before version 7.205.0.1, potentially enabling account takeover.

💻 Affected Systems

Products:

EmpowerID

Versions: All versions before 7.205.0.1

Operating Systems: Windows Server (primary deployment platform)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all EmpowerID deployments with MFA enabled where email change functionality is available.

📦 What is this software?

Empowerid by Empowerid

View all CVEs affecting Empowerid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of any EmpowerID user, including administrators, leading to privilege escalation and full system compromise.

🟠

Likely Case

Targeted account takeover of specific users, enabling unauthorized access to sensitive systems and data.

🟢

If Mitigated

Limited impact with proper MFA enforcement and email change verification controls in place.

🌐 Internet-Facing: HIGH - If EmpowerID is exposed to the internet, attackers can exploit this remotely with stolen credentials.

🏢 Internal Only: MEDIUM - Internal attackers with stolen credentials could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid username/password credentials but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.205.0.1

Vendor Advisory: https://www.empowerid.com/security-advisories

Restart Required: Yes

Instructions:

1. Backup EmpowerID configuration and databases. 2. Download EmpowerID 7.205.0.1 or later from vendor portal. 3. Run installer with administrative privileges. 4. Restart EmpowerID services and IIS. 5. Verify functionality post-upgrade.

🔧 Temporary Workarounds

Disable email change functionality

windows

Temporarily disable the ability for users to change email addresses in EmpowerID

Modify EmpowerID configuration to remove email change permissions

Enforce additional email verification

windows

Require MFA verification before allowing email address changes

Configure EmpowerID policy to require MFA for email modifications

🧯 If You Can't Patch

Implement strict credential monitoring and alerting for suspicious email change activities
Enforce network segmentation to limit access to EmpowerID administration interfaces

🔍 How to Verify

Check if Vulnerable:

Check EmpowerID version in administration console or via PowerShell: Get-Command -Module EmpowerID

Check Version:

Check EmpowerID web interface or examine installed programs in Control Panel

Verify Fix Applied:

Verify version is 7.205.0.1 or later and test that email changes now require MFA verification

📡 Detection & Monitoring

Log Indicators:

Multiple failed MFA attempts followed by successful email change
Email address modifications without corresponding MFA verification logs

Network Indicators:

Unusual patterns of email change API calls
Multiple authentication requests from single source followed by profile modification

SIEM Query:

source="empowerid" (event_type="email_change" AND NOT event_type="mfa_verification")

📊 Metadata

CVE ID: CVE-2023-40260

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-287

Published: August 11, 2023

Last Updated: November 21, 2024

🔗 References

https://nvd.nist.gov/vuln/detail/CVE-2023-40260
https://seclists.org/fulldisclosure/2023/Aug/3 Mailing List,Third Party Advisory
https://nvd.nist.gov/vuln/detail/CVE-2023-40260
https://seclists.org/fulldisclosure/2023/Aug/3 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40260, you might also want to check these: