CVE-2022-26157

Vulnerability

Cherwell Service Management (CSM) version 10.2.3 does not set the Secure flag on the ASP.NET_Sessionid cookie [1], [2]. As a result, the cookie is transmitted over both HTTPS and unencrypted HTTP connections. The vulnerability exists in the web application component and does not require any special configuration to be reachable — it is present by default in the affected version.

Exploitation

An attacker positioned on the same network as the victim (e.g., on a shared Wi-Fi or via a man-in-the-middle attack) can passively capture the unencrypted ASP.NET_Sessionid cookie when the victim navigates from an HTTPS page to an HTTP resource on the same Cherwell server, or if the application is delivered over HTTP altogether. No authentication or user interaction beyond the victim performing a normal session is required; the attacker simply intercepts network traffic.

Impact

Successful exploitation allows the attacker to hijack the victim's active session by replaying the stolen ASP.NET_Sessionid cookie. This leads to unauthorized access to the Cherwell Service Management instance under the victim's identity, potentially enabling disclosure of sensitive customer data, ticket manipulation, and further internal compromise [2]. The attack compromises session confidentiality and integrity.

Mitigation

Ivanti (formerly Cherwell) addressed this issue in Cherwell Service Management (CSM) version 10.4.0, released in 2022, by ensuring the ASP.NET_Sessionid cookie is flagged with the Secure attribute [1]. Organizations should upgrade to version 10.4.0 or later. If upgrading is not immediately possible, administrators should enforce HTTPS-only traffic to the application and disable mixed-content behavior at the web server or load balancer level. No workaround is documented for the specific cookie flag. The vulnerability is not listed on the CISA KEV at the time of writing.