Security News > 2022 > July > Security advisory accidentally exposes vulnerable systems
A security advisory for a vulnerability published by MITRE has accidentally been exposing links to remote admin consoles of over a dozen vulnerable IP devices since at least April 2022.
A vulnerability advisory published by MITRE for a high-severity information disclosure vulnerability in April ironically disclosed links to over a dozen live IoT devices vulnerable to the flaw.
Because a large number of sources rely on MITRE and NVD/NIST for receiving vulnerability feeds, the CVE advisory has already been syndicated by several vendors, public sources, and services providing CVE data, as observed by BleepingComputer.
It is true the CVE advisory itself was published by MITRE, the parent organization of the CVE project that is often the first point of contact for users reporting security vulnerabilities in third-party systems and requesting CVE identifiers.
BleepingComputer discovered the original source of the mishap was a security writeup published by one or more Chinese security researchers on GitHub while MITRE's CVE entry for the vulnerability had been "Reserved" and awaiting production.
Note, within a few hours of our email to MITRE, the CVE advisory was swiftly updated to remove all "Reference" links pointing to vulnerable IoT devices, from both MITRE's CVEProject GitHub repo and the database.