PatchSiren cyber security CVE debrief
CVE-2023-6523 ExtremePacs CVE debrief
CVE-2023-6523 describes an authorization bypass in ExtremePacs Extreme XDS caused by a user-controlled key, enabling authentication abuse. The issue affects Extreme XDS versions before 3914 and carries a CVSS 3.1 score of 8.8 (HIGH). Public references include NVD and USOM advisories, and the weakness was mapped to CWE-639 in the source corpus. Organizations running Extreme XDS should verify whether they are on a vulnerable build and prioritize upgrade planning.
- Vendor
- ExtremePacs
- Product
- Extreme XDS
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-05
- Original CVE updated
- 2026-05-20
- Advisory published
- 2024-04-05
- Advisory updated
- 2026-05-20
Who should care
Security, IT, and application teams responsible for ExtremePacs Extreme XDS deployments; identity and access management owners; and incident responders monitoring unauthorized authentication activity.
Technical summary
The source corpus describes an authorization bypass through a user-controlled key in ExtremePacs Extreme XDS, which can lead to authentication abuse. NVD metadata lists the vulnerability as CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and notes the vulnerability status as Deferred. USOM references associate the issue with CWE-639. The affected range in the description is Extreme XDS before 3914.
Defensive priority
High. The combination of network reachability, low attack complexity, limited privileges, and high CIA impact makes this a priority remediation item for any exposed or in-use Extreme XDS deployment.
Recommended defensive actions
- Identify whether ExtremePacs Extreme XDS is deployed in your environment and confirm the installed version.
- Upgrade Extreme XDS to 3914 or later, per the affected-version statement in the CVE description.
- Review authentication and authorization logic to ensure user-supplied keys are not treated as authoritative access controls.
- Monitor for unusual authentication successes, privilege anomalies, and account access patterns tied to Extreme XDS.
- Restrict network exposure of affected systems until patched, especially where the service is accessible beyond trusted administrative networks.
- Validate compensating controls such as logging, alerting, and account hygiene for systems that may have been exposed.
Evidence notes
Supported facts come from the CVE description, NVD metadata, and USOM references in the supplied corpus. The corpus identifies ExtremePacs Extreme XDS as affected before 3914, describes an authorization bypass through a user-controlled key, and maps the weakness to CWE-639. NVD metadata shows a CVSS 3.1 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and marks the vuln status as Deferred. The CVE published date is 2024-04-05; the 2026-05-20 timestamp is a metadata modification date, not the issue date.
Official resources
Publicly disclosed on 2024-04-05. The supplied corpus later shows a 2026-05-20 metadata modification, which should not be treated as the vulnerability's issue date.