Description

InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-284: Improper Access Control. They allow unauthenticated devices to subscribe to MQTT topics on the same network as the device manager. An unauthorized user who knows of an existing topic name could send and receive messages to and from that topic. This includes the ability to send GET/SET configuration commands, reboot commands, and push firmware updates.

Related CPE's

o

inhandnetworks

inrouter302_firmware

Vulnerable

h

inhandnetworks

inrouter302

-

o

inhandnetworks

inrouter615-s_firmware

Vulnerable

h

inhandnetworks

inrouter615-s

-

References

https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03

Third Party AdvisoryUS Government Resource

https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03

Third Party AdvisoryUS Government Resource

Weaknesses

[email protected]

Secondary
CWE-284

[email protected]

Primary
NVD-CWE-Other

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

10 · Critical

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2023-01-12T22:15:10.443Z

2 years ago

Last modified

2024-11-21T06:45:02.430Z

1 year ago