Ctrlx Hmi Web Panel Wr2107 Firmware
CVE-2023-46102
HIGH
Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
The Android Client application, when enrolled to the AppHub server, connects to an MQTT broker to exchange messages and receive commands to execute on the HMI device. The protocol builds on top of MQTT to implement the remote management of the device is encrypted with a hard-coded DES symmetric key, that can be retrieved reversing both the Android Client application and the server-side web application.
This issue allows an attacker able to control a malicious MQTT broker on the same subnet network of the device, to craft malicious messages and send them to the HMI device, executing arbitrary commands on the device itself.
AnalysisAI
The Android Client application, when enrolled to the AppHub server, connects to an MQTT broker to exchange messages and receive commands to execute on the HMI device. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Use of Hard-coded Credentials (CWE-798), which allows attackers to gain access using credentials embedded in source code. The Android Client application, when enrolled to the AppHub server, connects to an MQTT broker to exchange messages and receive commands to execute on the HMI device. The protocol builds on top of MQTT to implement the remote management of the device is encrypted with a hard-coded DES symmetric key, that can be retrieved reversing both the Android Client application and the server-side web application. This issue allows an attacker able to control a malicious MQTT broker on the same subnet network of the device, to craft malicious messages and send them to the HMI device, executing arbitrary commands on the device itself. Affected products include: Boschrexroth Ctrlx Hmi Web Panel Wr2107 Firmware, Boschrexroth Ctrlx Hmi Web Panel Wr2110 Firmware, Boschrexroth Ctrlx Hmi Web Panel Wr2115 Firmware.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Remove hard-coded credentials, use environment variables or secrets management, rotate exposed credentials immediately.
The Android Client application, when enrolled to the AppHub server,connects to an MQTT broker without enforcing any serv
The Android Client application, when enrolled with the define method 1 (the user manually inserts the server ip address)
The Android Client application, when enrolled with the define method 1(the user manually inserts the server ip address),
The vulnerability allows an unprivileged user with access to the subnet of the TPC-110W device to gain a root shell on t
The vulnerability allows a low privileged (untrusted) application to modify a critical system property that should be de
The vulnerability allows an unprivileged (untrusted) third- party application to arbitrary modify the server settings of
The vulnerability allows a low privileged user that have access to the device when locked in Kiosk mode to install an ar
The vulnerability allows an unprivileged(untrusted) third-party application to interact with a content-provider unsafely
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today