CVE-2023-33372

Name of the Vulnerable Software and Affected Versions Connected IO versions 2.1.0 and prior

Description The issue concerns the use of a hard-coded username/password pair in the device's firmware for communication via MQTT. An attacker gaining access to these credentials can connect to the MQTT broker, send messages on behalf of devices, and impersonate them. This also allows attackers to sign and verify JWT session tokens, enabling them to sign arbitrary session tokens and bypass authentication.

Recommendations For Connected IO versions 2.1.0 and prior, consider disabling the use of hard-coded credentials for MQTT communication until a patch is available. Restrict access to the MQTT broker to minimize the risk of exploitation. Avoid using the hard-coded username and password in device communication until the issue is resolved.