Login Sign Up

CVE-2023-4589

9.1 CRITICAL

📋 TL;DR

This vulnerability allows attackers with administrator access to Delinea Secret Server to install malicious software updates due to insufficient integrity verification. The update process lacks digital signatures and fails to validate update packages, enabling code injection. Organizations using Delinea Secret Server v10.9.000002 are affected.

💻 Affected Systems

Products:
  • Delinea Secret Server
Versions: v10.9.000002
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires administrator-level access to exploit. All deployments of the affected version are vulnerable.

📦 What is this software?

Secret Server by Delinea

View all CVEs affecting Secret Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Secret Server instance, allowing attackers to steal all stored secrets, deploy persistent backdoors, and pivot to connected systems.

🟠

Likely Case

Administrator-level attackers could install malicious updates to exfiltrate credentials, modify configurations, or disrupt operations.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authorized administrators who would be detected performing unauthorized updates.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires administrator credentials but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v10.9.000003 or later

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-delinea-secret-server

Restart Required: Yes

Instructions:

1. Backup Secret Server configuration and database. 2. Download the latest version from Delinea's official portal. 3. Run the installer with administrative privileges. 4. Restart the Secret Server service. 5. Verify the update completed successfully.

🔧 Temporary Workarounds

Restrict Administrator Access

all

Limit the number of administrator accounts and implement multi-factor authentication for all admin users.

Monitor Update Activities

all

Implement logging and alerting for all software update attempts on the Secret Server.

🧯 If You Can't Patch

  • Implement strict access controls and monitoring for all administrator accounts.
  • Isolate the Secret Server from internet access and restrict internal network connectivity.

🔍 How to Verify

Check if Vulnerable:

Check the Secret Server version in the web interface under Help > About. If version is exactly v10.9.000002, the system is vulnerable.

Check Version:

Not applicable - check via web interface or application logs.

Verify Fix Applied:

After updating, verify the version shows v10.9.000003 or later in the About section.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized update attempts
  • Update processes initiated by unexpected users
  • Failed integrity checks during updates

Network Indicators:

  • Unusual outbound connections after updates
  • Downloads from non-Delinea sources

SIEM Query:

source="secret_server" AND (event="update_initiated" OR event="package_install")

📊 Metadata

CVE ID: CVE-2023-4589
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-345
Published: September 6, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-4589, you might also want to check these:

CVE-2022-30315 9.8

Honeywell Experion PKS Safety Manager controllers lack cryptographic authentication for control logi...

Same vulnerability type (CWE-345)
CVE-2025-66255 9.8

This vulnerability allows unauthenticated attackers to upload malicious firmware files to Mozart FM ...

Same vulnerability type (CWE-345)
CVE-2022-26871 9.8

CVE-2022-26871 is a critical arbitrary file upload vulnerability in Trend Micro Apex Central that al...

Same vulnerability type (CWE-345)