Alexander Plaskett

**Name of the Vulnerable Software and Affected Versions** Phoenix Contact CHARX SEC-3100 (affected versions not specified) **Description** An unauthenticated remote attacker can use this issue to change the device configuration due to a file being writeable for a short time after system startup. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Phoenix Contact CHARX SEC-3000 versions up to 1.6.2 **Description** A remote unauthenticated attacker can use the firmware update feature on the LAN interface of the device to reset the password for the predefined, low-privileged user `user-app` to the default password. The issue is related to insecure default resource initialization. **Recommendations** For Phoenix Contact CHARX SEC-3000 versions up to 1.6.2, update the firmware to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the firmware update feature on the LAN interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Sonos products versions prior to S1 Release 11.12 and S2 release 15.9 **Description** A vulnerability exists in the U-Boot component of the firmware that allows persistent arbitrary code execution with Linux kernel privileges. This is due to a failure to correctly handle the return value of the `setenv` command, which can be used to override the kernel command-line parameters and ultimately bypass the Secure Boot implementation. The affected products include PLAY5 gen 2, PLAYBASE, PLAY:1, One, One SL, and Amp. **Recommendations** For Sonos products versions prior to S1 Release 11.12 and S2 release 15.9, update to S1 Release 11.12 or S2 release 15.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the U-Boot component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Sonos products versions prior to S1 Release 11.12 and S2 release 15.9 **Description** The issue is related to a stack buffer overflow in the mt 7615.ko wireless driver, which can be exploited to allow remote code execution within the kernel. This occurs due to the driver not properly validating an information element during negotiation of a WPA2 four-way handshake. The affected products include Amp, Arc, Arc SL, Beam, Beam Gen 2, Beam SL, and Five. **Recommendations** For Sonos products versions prior to S1 Release 11.12, update to S1 Release 11.12 or later. For Sonos products versions prior to S2 release 15.9, update to S2 release 15.9 or later. As a temporary workaround, consider disabling the Wi-Fi functionality until a patch is available. Restrict access to the vulnerable mt 7615.ko wireless driver to minimize the risk of exploitation.