PT-2024-1304 · Novelan+1 · Novelan Heatpumps+1
Jaarden
·
Published
2024-01-29
·
Updated
2024-08-29
·
CVE-2024-22894
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Alpha Innotec Heatpumps versions prior to V2.88.3
Alpha Innotec Heatpumps versions prior to V3.89.0
Alpha Innotec Heatpumps versions prior to V4.81.3
Novelan Heatpumps versions prior to V2.88.3
Novelan Heatpumps versions prior to V3.89.0
Novelan Heatpumps versions prior to V4.81.3
Description
The issue is related to the use of hardcoded credentials in the wp2reg-V3.88.0-9015 file, allowing a remote attacker to gain full access to the device. The vulnerability can be exploited to execute arbitrary code via the password component in the shadow file.
Recommendations
For Alpha Innotec Heatpumps versions prior to V2.88.3, update to V2.88.3 or later.
For Alpha Innotec Heatpumps versions prior to V3.89.0, update to V3.89.0 or later.
For Alpha Innotec Heatpumps versions prior to V4.81.3, update to V4.81.3 or later.
For Novelan Heatpumps versions prior to V2.88.3, update to V2.88.3 or later.
For Novelan Heatpumps versions prior to V3.89.0, update to V3.89.0 or later.
For Novelan Heatpumps versions prior to V4.81.3, update to V4.81.3 or later.
Exploit
Fix
Using Hardcoded Credentials
Inadequate Encryption Strength
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alpha Innotec Heatpumps
Novelan Heatpumps