VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 25, 2022· Updated May 9, 2025

CVE-2022-28169

CVE-2022-28169

Description

Brocade Webtools in Brocade Fabric OS versions before Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c could allow a low privilege webtools, user, to gain elevated admin rights, or privileges, beyond what is intended or entitled for that user. By exploiting this vulnerability, a user whose role is not an admin can create a new user with an admin role using the operator session id. The issue was replicated after intercepting the admin, and operator authorization headers sent unencrypted and editing a user addition request to use the operator's authorization header.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Brocade Fabric OS Webtools before v9.1.1, v9.0.1e, v8.2.3c allow low-privilege users to escalate to admin by intercepting unencrypted authorization headers.

Vulnerability

Brocade Webtools component in Brocade Fabric OS versions before v9.1.1, v9.0.1e, and v8.2.3c allows a low-privilege Webtools user to gain admin rights. The flaw stems from the transmission of unencrypted admin and operator authorization headers, which can be intercepted and reused to create a new user with an admin role. [1]

Exploitation

An attacker with low-privilege Webtools access must be positioned to intercept network traffic (e.g., man-in-the-middle) to capture the unencrypted authorization headers. Using the captured operator session ID, the attacker can then craft a user-addition request that substitutes their own authorization header with the operator's header, thereby creating an admin account. [1]

Impact

Successful exploitation grants the attacker full administrative privileges on the Brocade Fabric OS switch, enabling complete control over the device and its managed fabric. [1]

Mitigation

Broadcom released fixes in Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c that introduce a configurable option to disable Webtools access for non-admin users. This option is not enabled by default and must be activated by an admin using the configurechassis CLI command. In version v9.2.0, architectural changes eliminate the vulnerability entirely. [1]

References
  1. Support Content Notification - Support Portal - Broadcom support portal

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.