Cyber Resilience

CVE-2023-5702

Medium

Published: 23 October 2023

Published
23 October 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.2937 96.7th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-5702 is a medium-severity Forced Browsing (CWE-425) vulnerability in Viessmann Vitogate 300 Firmware. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A vulnerability exists in Viessmann Vitogate 300 versions up to 2.1.3.0 and is tracked as CVE-2023-5702. The issue affects an unspecified function within the /cgi-bin/ path and is caused by improper access control that permits direct requests, corresponding to CWE-425. The flaw carries a CVSS 3.1 base score of 4.3.

An unauthenticated attacker positioned on an adjacent network can send crafted requests to the affected endpoint and retrieve limited sensitive data. Public proof-of-concept material has been released, confirming that the attack requires no user interaction or elevated privileges.

The vendor was notified prior to disclosure but did not respond or issue a patch. Available references consist of third-party technical write-ups and vulnerability database entries that reproduce the request manipulation but provide no official mitigation guidance. The associated EPSS score reached a peak of 0.3545.

EU & UK References

Vulnerability details

A vulnerability was found in Viessmann Vitogate 300 up to 2.1.3.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /cgi-bin/. The manipulation leads to direct request. The exploit has been disclosed to the…

more

public and may be used. The identifier of this vulnerability is VDB-243140. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability (CWE-425, Insecure Direct Object Reference) in the Viessmann Vitogate 300 web interface (/cgi-bin/) allows unauthorized direct requests to access sensitive documents without authentication, enabling exploitation of a public-facing application.

Affected Assets

viessmann
vitogate 300 firmware
≤ 2.1.3.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-425

Forcing a decision on every access request, including direct ones, reduces the exploitability of forced browsing by ensuring no unchecked access paths.

addresses: CWE-425

Forces all accesses through the reference monitor, preventing direct or forced requests that bypass checks.

addresses: CWE-425

Enforcing access for all logical requests prevents unauthorized direct access to protected resources.

addresses: CWE-425

Displaying the notification before further access on public systems prevents direct resource requests from bypassing the required system use terms and consent.

addresses: CWE-425

Decoy endpoints catch forced browsing and direct requests, deflecting attackers from legitimate resources while enabling analysis.

addresses: CWE-425

Blocks unauthorized direct requests or forced browsing by denying input access to non-authorized actors.

References