CVE-2023-46889

Name of the Vulnerable Software and Affected Versions Meross MSH30Q version 4.5.23

Description The issue concerns the transmission of sensitive information in cleartext during the device setup phase. When setting up the device, it creates an unprotected Wi-Fi access point and requires the user to enter their Wi-Fi network name (SSID) and password to connect to the internet. Although the Wi-Fi password is encrypted, part of the decryption algorithm is publicly available, allowing for the decryption of the password. This affects the transmission of the Wi-Fi password and name between the device and the mobile application over the Wi-Fi network.

Recommendations For Meross MSH30Q version 4.5.23, consider changing the Wi-Fi network password and SSID after the initial setup to minimize the risk of exploitation. As a temporary workaround, restrict access to the device's setup phase to trusted networks only until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.