CVE-2022-50800
Unknown Unknown - Not Provided
User Enumeration Vulnerability in H3C SSL VPN via login_submit.cgi

Publication date: 2025-12-30

Last updated on: 2025-12-30

Assigner: VulnCheck

Description
H3C SSL VPN contains a user enumeration vulnerability that allows attackers to identify valid usernames through the 'txtUsrName' POST parameter. Attackers can submit different usernames to the login_submit.cgi endpoint and analyze response messages to distinguish between existing and non-existing accounts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2025-12-30
Generated
2026-06-16
AI Q&A
2025-12-31
EPSS Evaluated
2026-06-15
NVD
CVE-2022-50800
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
h3c ssl_vpn 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in H3C SSL VPN allows attackers to perform user enumeration by submitting different usernames to the login_submit.cgi endpoint via the 'txtUsrName' POST parameter. By analyzing the response messages, attackers can determine which usernames are valid on the system.

Detection Guidance

This vulnerability can be detected by submitting different usernames to the login_submit.cgi endpoint using the 'txtUsrName' POST parameter and analyzing the response messages to distinguish between existing and non-existing accounts. For example, you can use curl commands to automate this process: curl -X POST -d "txtUsrName=someusername" https://target/vpn/login_submit.cgi and observe the response differences to identify valid usernames.

Impact Analysis

The vulnerability can allow attackers to identify valid usernames, which can be used to facilitate further attacks such as brute force password attempts or targeted phishing, potentially compromising user accounts and system security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50800. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart