CVE-2023-1749

Name of the Vulnerable Software and Affected Versions Nexx Garage Door Controller versions NXG-100B, NXG-200 Nexx Smart Plug version NXPG-100W Nexx Smart Alarm version NXAL-100

Description The issue is related to a lack of proper access control when executing actions on Nexx Smart Home devices. An attacker with a valid deviceId could send API requests that the affected devices would execute, allowing for the execution of arbitrary commands. This could be done remotely.

Recommendations For Nexx Garage Door Controller versions NXG-100B, NXG-200, restrict access to API endpoints until a patch is available. For Nexx Smart Plug version NXPG-100W, avoid using the deviceId in API requests until the issue is resolved. For Nexx Smart Alarm version NXAL-100, consider disabling API execution for actions until a fix is provided. As a temporary workaround, consider restricting the use of API requests on all affected devices until a patch is available.