Vulnerabilities > CVE-2023-36624 - Missing Authorization vulnerability in Loxone Miniserver GO GEN 2 Firmware

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

loxone

CWE-862

NVD

Published: 2023-07-05

Updated: 2023-07-12

Summary

Loxone Miniserver Go Gen.2 through 14.0.3.28 allows an authenticated operating system user to escalate privileges via the Sudo configuration. This allows the elevated execution of binaries without a password requirement.

Vulnerable Configurations

Part	Description	Count
OS	Loxone Loxone Miniserver GO GEN 2 Firmware *	1
Hardware	Loxone Loxone Miniserver GO GEN 2 -	1

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-004.txt
https://www.syss.de/pentest-blog/root-zugang-zu-smarthome-server-loxone-miniserver-go-gen-2-syss-2023-004/-012/-013