1. Home
  2. CVE Database
  3. CVE-2023-6248
CRITICAL · 10.0

CVE-2023-6248

The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cl...

Vulnerability Description

The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cloud service. The MQTT server also leaks the location, video and diagnostic data from each connected device. An attacker who knows the IP address of the server is able to connect and perform the following operations: * Get location data of the vehicle the device is connected to * Send CAN bus messages via the ECU module ( https://syrus.digitalcomtech.com/docs/ecu-1 https://syrus.digitalcomtech.com/docs/ecu-1 ) * Immobilize the vehicle via the safe-immobilizer module ( https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization ) * Get live video through the connected video camera * Send audio messages to the driver ( https://syrus.digitalcomtech.com/docs/system-tools#apx-tts https://syrus.digitalcomtech.com/docs/system-tools#apx-tts )

CVSS Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
DigitalcomtechSyrus 4G Iot Telematics Gateway Firmwareapex-23.43.2
DigitalcomtechSyrus 4G Iot Telematics Gateway-

Related Weaknesses (CWE)

CWE-94CWE-287CWE-319CWE-200

References

FAQ

What is CVE-2023-6248?

CVE-2023-6248 is a vulnerability with a CVSS score of 10.0 (CRITICAL). The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cl...

How severe is CVE-2023-6248?

CVE-2023-6248 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-6248?

Check the references section above for vendor advisories and patch information. Affected products include: Digitalcomtech Syrus 4G Iot Telematics Gateway Firmware, Digitalcomtech Syrus 4G Iot Telematics Gateway.