Gerard Fuguet Morales

Name of the Vulnerable Software and Affected Versions: Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X) versions 3.1.3 and earlier Description: The issue allows a remote attacker to obtain the Wi-Fi SSID and the password configured by the user from the Meross app via an Http/JSON plain request. This is possible because the device creates an open Wi-Fi Access Point without the required security measures in its initial setup. Recommendations: For Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X) versions 3.1.3 and earlier, consider disabling the device's Wi-Fi Access Point feature until a secure configuration can be applied. Restrict access to the device's initial setup process to minimize the risk of exploitation. Avoid using the device's default setup until a patch or secure configuration is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.