CVE-2023-22599

Name of the Vulnerable Software and Affected Versions InHand Networks InRouter 302 versions prior to IR302 V3.5.56 InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542

Description The issue is related to the use of a one-way hash with a predictable salt, allowing an unauthorized user to easily calculate the hardcoded string used for encoding MQTT credentials. This could result in the affected devices being temporarily disconnected from the cloud platform, enabling the user to receive MQTT commands with potentially sensitive information. An attacker could exploit this by sending specially crafted HTTP/HTTPS requests using the MQTT protocol, potentially gaining unauthorized access to protected information.

Recommendations For InHand Networks InRouter 302 versions prior to IR302 V3.5.56, update to version IR302 V3.5.56 or later. For InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542, update to version InRouter6XX-S-V2.3.0.r5542 or later. As a temporary workaround, consider restricting access to the MQTT protocol to minimize the risk of exploitation.