CVE-2023-45321
CVE-2023-45321
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 8.3EPSS 0.1%KEV nãoPoC —Patch referenciado
Ciclo de vida
25 oct 2023Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The Android Client application, when enrolled with the define method 1 (the user manually inserts the server ip address), use HTTP protocol to retrieve sensitive information (ip address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not configurable by the user. Due to the lack of encryption of HTTP,this issue allows an attacker placed in the same subnet network of the HMI device to intercept username and password necessary to authenticate to the MQTT server responsible to implement the remote management protocol.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Productos afectados
Bosch Rexroth AG · ctrlX HMI Web Panel - WR21 (WR2107)Bosch Rexroth AG · ctrlX HMI Web Panel - WR21 (WR2110)Bosch Rexroth AG · ctrlX HMI Web Panel - WR21 (WR2115)¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →