9.8

CVE-2023-33372

EPSS 0.03%
Veröffentlicht 04.08.2023 18:15:11
Zuletzt bearbeitet 21.11.2024 08:05:29
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Connected IO v2.1.0 and prior uses a hard-coded username/password pair embedded in their device's firmware used for device communication using MQTT. An attacker who gained access to these credentials is able to connect to the MQTT broker and send messages on behalf of devices, impersonating them. in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Connectedio ≫ Connected Io Version <= 2.1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.072

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://claroty.com/team82/disclosure-dashboard/cve-2023-33372

Third Party Advisory

https://www.connectedio.com/products/routers

Product

https://nvd.nist.gov/vuln/detail/CVE-2023-33372

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-33372

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-33372

EUVD