CVE-2020-11015

Name of the Vulnerable Software and Affected Versions thinx-device-api IoT Device Management Server versions prior to 2.5.0

Description A vulnerability has been disclosed in the thinx-device-api IoT Device Management Server, where the device MAC address can be spoofed. This allows initial registration requests without a UDID and a spoofed MAC address to create a new UDID with the same MAC address. The full impact of this issue needs to be reviewed further. It applies to all users, mostly those using ESP8266/ESP32 devices.

Recommendations For versions prior to 2.5.0, update to firmware version 2.5.0 to resolve the issue. As a temporary workaround, consider restricting access to the initial registration request endpoint to minimize the risk of exploitation. Avoid using spoofed MAC addresses in registration requests until the issue is resolved.