CVE-2022-40630 is a medium-severity vulnerability classified under CWE-384 (Session Fixation) affecting Tacitine Firewall devices, specifically all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 firmware from 19.1.1 through 22.20.1 inclusive. The vulnerability arises from improper session management in the web-based management interface of the firewall. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted HTTP request to the targeted device, enabling them to fixate a session identifier. Session fixation attacks allow an attacker to set or predict a valid session ID for a user before authentication, potentially enabling the attacker to hijack the user’s session after they log in. This can lead to unauthorized access to the firewall’s management interface, compromising confidentiality and integrity of the device’s configuration and network security policies. The CVSS v3.1 base score is 6.5, reflecting a network attack vector with low attack complexity, no privileges or user interaction required, and impacts on confidentiality and integrity but no impact on availability. No known exploits in the wild have been reported, and no patches or mitigation links were provided in the source information. The vulnerability affects critical network security infrastructure, making it a significant risk if exploited.

For European organizations, this vulnerability poses a risk to the security of perimeter defenses managed by Tacitine firewalls. Successful exploitation could allow attackers to gain unauthorized administrative access to firewall management interfaces, potentially leading to unauthorized changes in firewall rules, exposure of sensitive network traffic, or disruption of security controls. This could facilitate further lateral movement within corporate networks, data exfiltration, or disruption of services. Given the firewall’s role in enforcing network segmentation and access control, exploitation could undermine the confidentiality and integrity of sensitive data and critical infrastructure. Organizations in sectors with stringent regulatory requirements such as finance, healthcare, and critical infrastructure in Europe could face compliance violations and reputational damage if this vulnerability is exploited. The lack of required authentication and user interaction increases the risk of automated exploitation attempts, especially in environments where these firewall models are deployed and accessible from untrusted networks.

European organizations using Tacitine EN6200-PRIME QUAD-35 or QUAD-100 firewalls should immediately verify their firmware versions and restrict access to the web-based management interface to trusted internal networks only, ideally via VPN or secure management VLANs. Network segmentation should be enforced to isolate management interfaces from general user networks and the internet. Implement strong authentication mechanisms such as multi-factor authentication (MFA) for firewall management access where supported. Monitor firewall logs for unusual session activity or repeated HTTP requests that could indicate exploitation attempts. If vendor patches become available, prioritize timely deployment. In the absence of patches, consider deploying Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom rules to detect and block session fixation attack patterns targeting the management interface. Regularly audit firewall configurations and session management policies to ensure secure defaults and session expiration settings. Conduct penetration testing focused on session management vulnerabilities to proactively identify and remediate weaknesses.