Adam Lindberg

**Name of the Vulnerable Software and Affected Versions** Shelly TRV version 20220811-152343/v2.1.8@5afc928c **Description** The issue allows malicious users to create a backdoor by redirecting the device to an attacker-controlled machine which serves the manipulated firmware file. The device is then updated with the manipulated firmware. **Recommendations** For Shelly TRV version 20220811-152343/v2.1.8@5afc928c, as a temporary workaround, consider restricting access to firmware updates until a patch is available. Avoid using unverified or unofficial firmware sources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Shelly TRV version 2.1.8 **Description** The issue allows a local attacker to obtain the Wi-Fi password due to cleartext transmission during the initial setup. **Recommendations** For Shelly TRV version 2.1.8, update to a version that addresses the cleartext transmission issue to prevent a local attacker from obtaining the Wi-Fi password.

**Name of the Vulnerable Software and Affected Versions** Meross MSH30Q version 4.5.23 **Description** The issue concerns the transmission of sensitive information in cleartext during the device setup phase. When setting up the device, it creates an unprotected Wi-Fi access point and requires the user to enter their Wi-Fi network name (SSID) and password to connect to the internet. Although the Wi-Fi password is encrypted, part of the decryption algorithm is publicly available, allowing for the decryption of the password. This affects the transmission of the Wi-Fi password and name between the device and the mobile application over the Wi-Fi network. **Recommendations** For Meross MSH30Q version 4.5.23, consider changing the Wi-Fi network password and SSID after the initial setup to minimize the risk of exploitation. As a temporary workaround, restrict access to the device's setup phase to trusted networks only until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Meross MSH30Q version 4.5.23 **Description** The radio frequency communication protocol used by the device is susceptible to replay attacks. This allows attackers to record and replay previously captured communication, enabling them to execute unauthorized commands or actions, such as modifying the thermostat's temperature. **Recommendations** For Meross MSH30Q version 4.5.23, consider implementing authentication mechanisms to verify the authenticity of incoming commands to prevent replay attacks. As a temporary workaround, restrict access to the device's communication protocol to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.