Cyber Resilience

CVE-2023-22599

High

Published: 12 January 2023

Published
12 January 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0015 35.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22599 is a high-severity Use of a One-Way Hash with a Predictable Salt (CWE-760) vulnerability in Inhandnetworks Inrouter302 Firmware. Its CVSS base score is 7.0 (High).

Operationally, ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-760: Use of a One-way Hash with a Predictable Salt. They send MQTT credentials in response to HTTP/HTTPS requests from the cloud…

more

platform. These credentials are encoded using a hardcoded string into an MD5 hash. This string could be easily calculated by an unauthorized user who spoofed sending an HTTP/HTTPS request to the devices. This could result in the affected devices being temporarily disconnected from the cloud platform and allow the user to receive MQTT commands with potentially sensitive information.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

inhandnetworks
inrouter302 firmware
≤ 3.5.56
inhandnetworks
inrouter615-s firmware
≤ 2.3.0.r5542

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References