CVE-2023-35069 Biges CVE debrief

Who should care

Organizations that operate Bullwark Momentum Series devices, especially assets running versions earlier than BLW-2016E-960H. Security teams should also review any network paths to exposed management or service interfaces on these devices.

Technical summary

The official NVD record classifies this as a CWE-22 path traversal vulnerability and lists the vulnerable product as cpe:2.3:a:biges:bullwark_momentum_series:*:*:*:*:*:*:*:* with versions ending before BLW-2016E-960H. The CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates a network-reachable issue requiring no privileges or user interaction, with confidentiality as the primary impact. NVD also references the USOM advisory tr-23-0401.

Defensive priority

High. The combination of network reachability, no authentication requirement, and high confidentiality impact makes this worth prioritizing for exposure review and remediation planning.

Recommended defensive actions

• Identify all Bullwark Momentum Series devices in inventory and confirm whether any are running versions before BLW-2016E-960H.
• Apply the vendor or advisory guidance referenced by NVD and upgrade affected systems to BLW-2016E-960H or later if available.
• Restrict network access to Bullwark management and service interfaces to trusted administrative hosts only.
• Review logs and telemetry for unusual requests targeting file or path handling on affected devices.
• If immediate remediation is not possible, isolate exposed systems to reduce the chance of unauthorized path access.

Evidence notes

The debrief is based on the official CVE record, the official NVD detail record, and the USOM advisory referenced by NVD. NVD marks CVE-2023-35069 as a CWE-22 path traversal issue affecting Bullwark Momentum Series before BLW-2016E-960H, with CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The supplied data shows the CVE published on 2023-07-13 and modified on 2024-11-21; no KEV entry was supplied.

Official resources