Vulnerability Description
The Eufy Homebase 2 before firmware version 3.3.4.1h creates a dedicated wireless network for its ecosystem, which serves as a proxy to the end user's primary network. The WPA2-PSK generation of this dedicated network is flawed and solely based on the serial number. Due to the flawed generation process, the WPA2-PSK can be brute forced offline within seconds. This vulnerability allows an attacker in proximity to the dedicated wireless network to gain unauthorized access to the end user's primary network. The only requirement of the attack is proximity to the dedicated wireless network.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eufy | Homebase 2 Firmware | < 3.3.4.1h |
| Eufy | Homebase 2 | - |
Related Weaknesses (CWE)
References
- http://anker.comProduct
- http://eufy.comProduct
- https://www.usenix.org/conference/woot24/presentation/goemanTechnical Description
- https://www.usenix.org/system/files/woot24-goeman.pdfTechnical Description
FAQ
What is CVE-2023-37822?
CVE-2023-37822 is a vulnerability with a CVSS score of 8.2 (HIGH). The Eufy Homebase 2 before firmware version 3.3.4.1h creates a dedicated wireless network for its ecosystem, which serves as a proxy to the end user's primary network. The WPA2-PSK generation of this ...
How severe is CVE-2023-37822?
CVE-2023-37822 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-37822?
Check the references section above for vendor advisories and patch information. Affected products include: Eufy Homebase 2 Firmware, Eufy Homebase 2.