CVE-2023-22600

Name of the Vulnerable Software and Affected Versions InHand Networks InRouter 302 versions prior to IR302 V3.5.56 InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542

Description The issue is related to improper access control in the software of InHand Networks InRouter 302 and InRouter 615. This allows unauthenticated devices to subscribe to MQTT topics on the same network as the device manager. An unauthorized user who knows of an existing topic name could send and receive messages to and from that topic, including the ability to send GET/SET configuration commands, reboot commands, and push firmware updates.

Recommendations For InHand Networks InRouter 302 versions prior to IR302 V3.5.56, update to version IR302 V3.5.56 or later. For InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542, update to version InRouter6XX-S-V2.3.0.r5542 or later. As a temporary workaround, consider restricting access to the MQTT topics to prevent unauthorized devices from subscribing to them.