Roni Gavrilov

**Name of the Vulnerable Software and Affected Versions** Bosch Rexroth IndraDrive (all versions) **Description** A vulnerability in the PROFINET stack implementation allows an attacker to cause a denial of service by sending arbitrary UDP messages, rendering the device unresponsive. This issue could potentially bring an entire industrial system to a halt. The vulnerability is being actively exploited. **Recommendations** For Bosch Rexroth IndraDrive, consider implementing network segmentation and firewalls to protect critical infrastructure as a mitigation measure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Qognify NiceVision versions 3.1 and prior **Description** The issue is related to the use of hard-coded credentials, which can be exploited by an attacker to retrieve sensitive information about cameras and users, as well as modify database records. Successful exploitation could allow an attacker to obtain information about the cameras managed by the platform and its users. **Recommendations** For Qognify NiceVision versions 3.1 and prior, consider changing the hard-coded credentials to unique, secure credentials to prevent unauthorized access. As a temporary workaround, restrict access to the system to minimize the risk of exploitation. Update to a version that does not use hard-coded credentials, if available.

**Name of the Vulnerable Software and Affected Versions** Teltonika’s Remote Management System versions prior to 4.10.0 **Description** The issue concerns a function in the Remote Management System that allows users to claim devices, returning information based on whether a device's serial number or MAC address has been claimed, or if the claim attempt was successful. An attacker could exploit this function to create a list of serial numbers and MAC addresses of all cloud-connected devices. **Recommendations** For versions prior to 4.10.0, update to version 4.10.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the device claiming function until a patch is applied. Avoid using the device claiming function with untrusted users to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Teltonika’s Remote Management System version 4.14.0 **Description** The issue allows an unauthorized attacker to register previously unregistered devices through the RMS platform. If the `RMS management feature` is enabled, an attacker could register a device to themselves, enabling them to perform different operations on the user's devices. This includes remote code execution with `root` privileges using the `Task Manager` feature on RMS. **Recommendations** For Teltonika’s Remote Management System version 4.14.0, disable the `RMS management feature` to prevent unauthorized device registration. As a temporary workaround, consider restricting access to the `Task Manager` feature on RMS until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Teltonika’s Remote Management System versions prior to 4.10.0 **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the main page of the web interface. An attacker with the MAC address and serial number of a connected device could send a maliciously crafted JSON file with an HTML object to trigger the vulnerability. This could allow the attacker to execute scripts in the account context and obtain remote code execution on managed devices. **Recommendations** For versions prior to 4.10.0, update to version 4.10.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the main page of the web interface until a patch is available. Avoid using the web interface with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Teltonika’s Remote Management System versions prior to 4.10.0 **Description** The issue concerns the use of device serial numbers and MAC addresses for device identification and authentication. If an attacker obtains the serial number and MAC address of a device, they could authenticate as that device, steal its communication credentials, and potentially enable arbitrary command execution as root. This could be achieved by utilizing management options within newly registered devices. **Recommendations** For versions prior to 4.10.0, update to version 4.10.0 or later to resolve the issue. As a temporary workaround, consider restricting access to device management options to minimize the risk of exploitation. Additionally, ensure that device serial numbers and MAC addresses are kept confidential to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Teltonika’s Remote Management System versions prior to 4.10.0 **Description** The issue concerns the virtual private network (VPN) hub feature in Teltonika’s Remote Management System, which utilizes OpenVPN for cross-device communication. This feature allows new devices to connect and communicate with all Teltonika devices already connected to the VPN. Additionally, the OpenVPN server enables users to route through it. An attacker could exploit this by routing a connection to a remote server through the OpenVPN server, thereby gaining the ability to scan and access data from other Teltonika devices connected to the VPN. **Recommendations** For versions prior to 4.10.0, update to version 4.10.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the OpenVPN server to minimize the risk of exploitation. Avoid using the VPN hub feature until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Teltonika RUT router firmware versions 00.07.00 through 00.07.03.4 **Description** The packet dump utility in the firmware contains proper validation for filter parameters, but the variables for validation checks are stored in an external configuration file. An authenticated attacker could use an exposed UCI configuration utility to change these variables and enable malicious parameters in the dump utility, potentially resulting in arbitrary code execution. **Recommendations** For versions 00.07.00 through 00.07.03.4, consider restricting access to the UCI configuration utility to prevent modification of the validation variables. As a temporary workaround, consider disabling the packet dump utility until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Teltonika RUT router firmware versions 00.07.00 through 00.07.03 **Description** The issue is an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead providing a package with a malicious name that contains an OS command injection payload. **Recommendations** For versions 00.07.00 through 00.07.03, as a temporary workaround, consider restricting the use of the Lua service until a patch is available. Avoid using user-provided package names in the vulnerable function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Teltonika’s Remote Management System versions prior to 4.10.0 **Description** The issue allows users to access managed devices’ local secure shell (SSH)/web management services over the cloud proxy. A user can request a web proxy and obtain a URL in the Remote Management System cloud subdomain, which could be shared with others without Remote Management System authentication. An attacker could exploit this to create a malicious webpage that uses a trusted and certified domain. The attacker could initiate a reverse shell when a victim connects to the malicious webpage, achieving remote code execution on the victim device. **Recommendations** For versions prior to 4.10.0, update to version 4.10.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the web proxy feature in the Remote Management System until a patch is applied. Additionally, avoid sharing URLs obtained through the web proxy feature with unauthenticated users to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ALEOS versions prior to 4.16 **Description** The issue allows a user with valid credentials to reconfigure the device, exposing the ACEManager credentials on the pre-login status page. **Recommendations** For versions prior to 4.16, update to version 4.16 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ALEOS versions prior to 4.16 **Description** The issue allows a user with valid credentials to manipulate the IP logging operation, potentially leading to the execution of arbitrary shell commands on the device. This is due to the lack of measures to neutralize special elements used in the operating system command. Exploitation of this issue may allow a remote attacker to execute arbitrary code. **Recommendations** For versions prior to 4.16, update to version 4.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the iplogging.cgi executable file until a patch is available. Avoid using the IP logging operation with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** InHand Networks InRouter 302 versions prior to IR302 V3.5.56 InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542 **Description** The issue is related to improper neutralization of special elements used in an OS command, which could allow an unauthorized user with privileged access to the local web interface or the cloud account managing the affected devices to push a specially crafted configuration update file. This could lead to remote code execution with root privileges. **Recommendations** For InHand Networks InRouter 302 versions prior to IR302 V3.5.56, update to version IR302 V3.5.56 or later. For InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542, update to version InRouter6XX-S-V2.3.0.r5542 or later. As a temporary workaround, consider restricting access to the local web interface and cloud account managing the affected devices to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** InHand Networks InRouter 302 versions prior to IR302 V3.5.56 InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542 **Description** The issue is related to improper access control in the software of InHand Networks InRouter 302 and InRouter 615. This allows unauthenticated devices to subscribe to MQTT topics on the same network as the device manager. An unauthorized user who knows of an existing topic name could send and receive messages to and from that topic, including the ability to send GET/SET configuration commands, reboot commands, and push firmware updates. **Recommendations** For InHand Networks InRouter 302 versions prior to IR302 V3.5.56, update to version IR302 V3.5.56 or later. For InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542, update to version InRouter6XX-S-V2.3.0.r5542 or later. As a temporary workaround, consider restricting access to the MQTT topics to prevent unauthorized devices from subscribing to them.

**Name of the Vulnerable Software and Affected Versions** InHand Networks InRouter 302 versions prior to IR302 V3.5.56 InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542 **Description** The issue is related to the use of insufficiently random values, specifically with the MQTT ClientID parameters, which are not properly randomized. This could allow an unauthorized user to calculate the parameter and gather additional information about other InHand devices managed on the same cloud platform. **Recommendations** For InHand Networks InRouter 302 versions prior to IR302 V3.5.56, update to version IR302 V3.5.56 or later to resolve the issue. For InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542, update to version InRouter6XX-S-V2.3.0.r5542 or later to resolve the issue. As a temporary workaround, consider restricting access to the MQTT ClientID parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** InHand Networks InRouter 302 versions prior to IR302 V3.5.56 InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542 **Description** The issue is related to the use of a one-way hash with a predictable salt, allowing an unauthorized user to easily calculate the hardcoded string used for encoding MQTT credentials. This could result in the affected devices being temporarily disconnected from the cloud platform, enabling the user to receive MQTT commands with potentially sensitive information. An attacker could exploit this by sending specially crafted HTTP/HTTPS requests using the MQTT protocol, potentially gaining unauthorized access to protected information. **Recommendations** For InHand Networks InRouter 302 versions prior to IR302 V3.5.56, update to version IR302 V3.5.56 or later. For InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542, update to version InRouter6XX-S-V2.3.0.r5542 or later. As a temporary workaround, consider restricting access to the MQTT protocol to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** InHand Networks InRouter 302 versions prior to IR302 V3.5.56 InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542 **Description** The issue is related to the use of an unsecured channel for data transmission by default, which may allow a remote attacker to gain unauthorized access to sensitive information or execute arbitrary commands using the MQTT protocol. This could enable an unauthorized user to intercept communication and steal sensitive information, such as configuration information and MQTT credentials, potentially allowing MQTT command injection. **Recommendations** For InHand Networks InRouter 302 versions prior to IR302 V3.5.56, update to version IR302 V3.5.56 or later. For InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542, update to version InRouter6XX-S-V2.3.0.r5542 or later. As a temporary workaround, consider restricting access to the MQTT protocol to minimize the risk of exploitation.