Vulnerability Description
InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-330: Use of Insufficiently Random Values. They do not properly randomize MQTT ClientID parameters. An unauthorized user could calculate this parameter and use it to gather additional information about other InHand devices managed on the same cloud platform.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Inhandnetworks | Inrouter302 Firmware | < 3.5.56 |
| Inhandnetworks | Inrouter302 | - |
| Inhandnetworks | Inrouter615-S Firmware | < 2.3.0.r5542 |
| Inhandnetworks | Inrouter615-S | - |
Related Weaknesses (CWE)
References
- https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03Third Party AdvisoryUS Government Resource
- https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2023-22601?
CVE-2023-22601 is a vulnerability with a CVSS score of 10.0 (CRITICAL). InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-330: Use of Insufficiently Random Values. They d...
How severe is CVE-2023-22601?
CVE-2023-22601 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-22601?
Check the references section above for vendor advisories and patch information. Affected products include: Inhandnetworks Inrouter302 Firmware, Inhandnetworks Inrouter302, Inhandnetworks Inrouter615-S Firmware, Inhandnetworks Inrouter615-S.