CVE-2023-7308 – The SecGate3600 firewall has an authentication ... (How to Fix)

Q: What is the severity of CVE-2023-7308?

CVE-2023-7308 has a CVSS score of 7.5 (HIGH). The SecGate3600 firewall has an authentication bypass vulnerability in its user management endpoint that allows unauthenticated attackers to retrieve sensitive user and configuration data. This affects all organizations using NSFOCUS SecGate3600 firewalls with the vulnerable component exposed. Attackers can exploit this remotely without any credentials.

📋 TL;DR

The SecGate3600 firewall has an authentication bypass vulnerability in its user management endpoint that allows unauthenticated attackers to retrieve sensitive user and configuration data. This affects all organizations using NSFOCUS SecGate3600 firewalls with the vulnerable component exposed. Attackers can exploit this remotely without any credentials.

💻 Affected Systems

Products:

NSFOCUS SecGate3600 Firewall

Versions: Undefined (all versions likely affected until patched)

Operating Systems: Firewall-specific OS

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with the /cgi-bin/authUser/authManageSet.cgi endpoint accessible are vulnerable.

📦 What is this software?

Secgate3600 Firmware by Nsfocusglobal

View all CVEs affecting Secgate3600 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain administrative credentials, pivot to internal networks, and compromise the entire firewall infrastructure leading to full network compromise.

🟠

Likely Case

Attackers harvest user information and configuration details to plan further attacks, potentially leading to credential theft and lateral movement.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to information disclosure without direct system compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit script available on GitHub. Exploitation observed in the wild by Shadowserver Foundation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Contact NSFOCUS support for patch availability. 2. Apply vendor-provided security updates. 3. Verify the /cgi-bin/authUser/authManageSet.cgi endpoint is no longer accessible without authentication.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to the firewall management interface to trusted IP addresses only.

Configure firewall rules to allow management access only from specific source IPs/networks

Endpoint Blocking

all

Block access to the vulnerable endpoint using web application firewall or reverse proxy rules.

Add rule to block requests to /cgi-bin/authUser/authManageSet.cgi

🧯 If You Can't Patch

Isolate the firewall from internet access and restrict management interface to internal networks only
Implement strict network segmentation to limit potential lateral movement if data is exfiltrated

🔍 How to Verify

Check if Vulnerable:

Send POST request to https://[firewall-ip]/cgi-bin/authUser/authManageSet.cgi and check if it returns user data without authentication

Check Version:

Check firewall web interface or CLI for current firmware version

Verify Fix Applied:

Attempt the same request after applying controls - should receive authentication error or no response

📡 Detection & Monitoring

Log Indicators:

Unauthenticated POST requests to /cgi-bin/authUser/authManageSet.cgi
Unusual data export patterns from firewall

Network Indicators:

HTTP POST requests to vulnerable endpoint from untrusted sources
Data exfiltration patterns from firewall management interface

SIEM Query:

source_ip NOT IN trusted_networks AND uri_path="/cgi-bin/authUser/authManageSet.cgi" AND http_method="POST"

📊 Metadata

CVE ID: CVE-2023-7308

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-306

EPSS Score: 0.4% exploit probability (60.3th percentile)

Published: August 27, 2025

Last Updated: November 20, 2025

🔗 References

https://github.com/jjjj1029056414/selfpoc/blob/main/wangshen-SecGate3600-information-leakage.py Exploit
https://nsfocusglobal.com/products/next-gen-firewall-2/ Product
https://www.vulncheck.com/advisories/secgate3600-firewall-info-disc Third Party Advisory
https://www.vulncheck.com/advisories/secgate3600-firewall-info-disc Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-7308, you might also want to check these: