CVE-2023-31240

CVSS 8.3 HIGHEPSS 0.5%CWE-1391

In short

Snap One OvrC Pro versions before 7.2 contain a hidden superuser account with hard-coded credentials that can be accessed through a web server reachable from the internet and local network. An attacker can use these credentials to gain full control of the system.

Technical detail

CVE-2023-31240 involves hard-coded superuser credentials in OvrC Pro's embedded web server (CWE-1391: Hard-Coded Password). The server is accessible remotely and from the local network, allowing unauthenticated attackers to authenticate as administrator without credential modification. Impact includes complete system compromise and unauthorized access to managed devices.

Summary generated and translated by AI from the official description.

Snap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely. OvrC cloud contains a hidden superuser account accessible through hard-coded credentials.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Affected products

Snap One · OvrC Cloud

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01 https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-r.pdf