Vulnerability Details : CVE-2019-18980
Potential exploit
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The only requirement is that the attacker have network access to the bulb.
Products affected by CVE-2019-18980
- cpe:2.3:o:philips:taolight_smart_wi-fi_wiz_connected_led_bulb_9290022656_firmware:-:*:*:*:*:*:*:*When used together with: Philips » Taolight Smart Wi-fi Wiz Connected Led Bulb 9290022656 » Version: N/A
Exploit prediction scoring system (EPSS) score for CVE-2019-18980
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 27 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-18980
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-18980
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
-
The product does not encrypt sensitive or critical information before storage or transmission.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-18980
-
https://blog.dammitly.net/2019/10/cheap-hackable-wifi-light-bulbs-or-iot.html
Dammitly.net: Cheap, Hackable IOT Light Bulbs (or, Philips Bulbs Have No Security)Exploit;Third Party Advisory
Jump to