Unauthenticated Arbitrary User Creation Leads to Complete System Compromise
CVE-2023-25589

9.8CRITICAL

Key Information:

Vendor: HP (HP)
Status: Aruba Clearpass Policy Manager
Vendor: CVE Published:; 22 March 2023

What is CVE-2023-25589?

A vulnerability in the web-based management interface of ClearPass Policy Manager can be exploited by an unauthenticated remote attacker, enabling them to create arbitrary user accounts on the platform. This exploit permits attackers to gain unauthorized access and potentially compromise the entire cluster, raising significant security concerns for network integrity.

Affected Version(s)

Aruba ClearPass Policy Manager 6.11.1 and below

Aruba ClearPass Policy Manager 6.10.8 and below

Aruba ClearPass Policy Manager 6.9.13 and below

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 22, 2023
Vulnerability Reserved
Feb 7, 2023

Credit

Daniel Jensen (@dozernz)

HP (HP)

What is CVE-2023-25589?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit