CVE-2022-38583: On versions of Sage 300 2017 - 2022 (6.4.x - 6.9.x) which are setup in a "Windows Peer-to-Peer Network" or...
On versions of Sage 300 2017 - 2022 (6.4.x - 6.9.x) which are setup in a "Windows Peer-to-Peer Network" or "Client Server Network" configuration, a low-privileged Sage 300 workstation user could abuse their access to the "SharedData" folder on the connected Sage 300 server to view and/or modify the credentials associated with Sage 300 users and SQL accounts to impersonate users and/or access the SQL database as a system administrator. With system administrator-level access to the Sage 300 MS SQL database it would be possible to create, update, and delete all records associated with the program and, depending on the configuration, execute code on the underlying database server.
Security readout for executives and security teams
Plain-English summary
A low-privileged Sage 300 workstation user may be able to read or change credentials stored through the shared Sage 300 data folder. If abused, this could let them impersonate users or gain administrator-level access to the Sage 300 SQL database, putting financial and operational records at risk.
Executive priority
Treat as a high-priority internal exposure issue for Sage 300 environments. The business risk is unauthorized manipulation or deletion of ERP records, not remote internet-scale exploitation based on the provided evidence.
Technical view
CVE-2022-38583 affects Sage 300 2017-2022, versions 6.4.x-6.9.x, in Windows peer-to-peer or client-server network configurations. The issue is tied to improper permissions on SharedData, allowing credential exposure or modification and potential SQL system administrator access. CVSS 3.1 is 7.8, local attack vector, low privileges required.
Likely exposure
Organizations running Sage 300 2017-2022 in the named Windows network configurations are the relevant exposure group. Risk depends on workstation user access to the SharedData folder and SQL account handling.
Exploitation context
The provided bundle does not show CISA KEV listing or evidence of active exploitation. The flaw requires local low-privileged access as a Sage 300 workstation user, but successful abuse could have high confidentiality, integrity, and availability impact.
Researcher notes
Evidence names CWE-276 and describes credential read/modify exposure through SharedData. Affected metadata in the bundle is incomplete, so validation should rely on the CVE description, deployment topology, folder ACLs, and vendor guidance.
Mitigation direction
Check Sage and ControlGap guidance for supported remediation or configuration changes.
Restrict SharedData permissions to the minimum required users and groups.
Review Sage 300 and SQL account credential storage and access controls.
Rotate exposed Sage 300 and SQL credentials if unauthorized access is suspected.
Limit SQL administrator privileges used by the application where operationally possible.
Validation and detection
Inventory Sage 300 versions and identify 6.4.x through 6.9.x deployments.
Confirm whether deployments use Windows peer-to-peer or client-server network configurations.
Audit SharedData folder permissions for low-privileged workstation users.
Review SQL account privileges associated with Sage 300 access.
Check logs for unexpected Sage 300 user impersonation or database changes.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-276: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
2ADP providers
2Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-276 · source CWE mapping
Incorrect Default Permissions
Incorrect Default Permissions represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.