Vulnerability Details : CVE-2023-22601
InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-330: Use of Insufficiently Random Values. They do not properly randomize MQTT ClientID parameters. An unauthorized user could calculate this parameter and use it to gather additional information about other InHand devices managed on the same cloud platform.
Products affected by CVE-2023-22601
- cpe:2.3:o:inhandnetworks:inrouter302_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:inhandnetworks:inrouter615-s_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-22601
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 45 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-22601
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H |
3.9
|
6.0
|
ICS-CERT | |
8.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
3.9
|
4.0
|
NIST |
CWE ids for CVE-2023-22601
-
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Assigned by: ics-cert@hq.dhs.gov (Primary)
References for CVE-2023-22601
-
https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03
InHand Networks InRouter | CISAThird Party Advisory;US Government Resource
Jump to