ConnectedIO’s 3G/4G Routers Vulnerability Let Hackers Execute Malicious Code

Excessive considerations in ConnectedIO’s ER2000 edge routers were found, and an attacker can leverage them to compromise the cloud infrastructure fully, remotely fabricate malicious code, and expose all user and strength data.

A 3G/4G router serves as a gateway between the a ways off situation and the procure and enables the XIoT devices on that situation to join on-line. Organizations would possibly perhaps well honest remotely prepare their objects attributable to this connectivity.

ConnectedIO’s firmware releases have fixed the whole failings found by Team82.

Diminutive print of the Vulnerability

The failings impact the ConnectedIO platform variations v2.1.0 and earlier, particularly the 4G ER2000 edge router and cloud companies and products, that would possibly be chained, permitting attackers to fabricate arbitrary code on cloud-basically basically based fully devices without say get right of entry to.

Furthermore, flaws have also been expose within the MQTT verbal substitute protocol, which is outdated to join devices and the cloud, including the exercise of laborious-coded authentication credentials, that would possibly be exploited to register a rogue tool and invent get right of entry to to MQTT messages that get router passwords, SSIDs, and strength identifiers.

The exercise of the disclosed IMEI data, the risk actor would possibly perhaps well honest no longer perfect impersonate any tool of their different nonetheless also power them to fabricate arbitrary instructions displayed by capability of specially crafted MQTT messages.

Here is completed by the exercise of the bash suppose with the opcode “1116,” which runs a a ways off suppose “as-is.”

This suppose, which requires no extra authentication beyond the capability to write down to the factual topic, enables to scuttle arbitrary instructions on all devices. It does no longer validate if the sender of the instructions is a licensed issuer.

Researchers have found four original vulnerabilities that allow attackers to fabricate a ways off code on all related devices. These vulnerabilities are identified as CVE-2023-33375, CVE-2023-33376, CVE-2023-33377, and CVE-2023-33378.

These vulnerabilities, if exploited, would possibly perhaps well signify a extreme risk to thousands of enterprises real by the field, permitting attackers to disrupt enterprise and manufacturing while also having get right of entry to to inner networks.

Patch Available within the market

ConnectedIO has issued firmware upgrades that address the whole vulnerabilities found to resolve these considerations. Customers are robotically safe since these upgrades had been applied to the cloud infrastructure and edge devices.