Vulnerabilities > CVE-2023-22600 - Unspecified vulnerability in Inhandnetworks Inrouter302 Firmware and Inrouter615-S Firmware

CVSS 8.1 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

high complexity

inhandnetworks

NVD

Published: 2023-01-12

Updated: 2023-11-07

Summary

InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-284: Improper Access Control. They allow unauthenticated devices to subscribe to MQTT topics on the same network as the device manager. An unauthorized user who knows of an existing topic name could send and receive messages to and from that topic. This includes the ability to send GET/SET configuration commands, reboot commands, and push firmware updates.

Vulnerable Configurations

Part	Description	Count
OS	Inhandnetworks Inhandnetworks Inrouter302 Firmware - Inhandnetworks Inrouter302 Firmware 3.5.4 Inhandnetworks Inrouter302 Firmware 3.5.37 Inhandnetworks Inrouter302 Firmware 3.5.45 Inhandnetworks Inrouter615 S Firmware *	5
Hardware	Inhandnetworks Inhandnetworks Inrouter302 - Inhandnetworks Inrouter615 S -	2

References

https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03

Summary

Vulnerable Configurations

Related news

References