PT-2024-15522 · Inprax · Izzi Connect

Published

2024-02-15

Updated

2025-03-13

CVE-2024-0390

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions INPRAX "iZZi connect" application versions prior to 2024010401

Description The "iZZi connect" application on Android contains hard-coded MQTT queue credentials, which could allow unauthorized access to manage and read parameters of the recuperation unit "reQnet iZZi". This issue potentially affects the corresponding physical recuperation devices that use the same MQTT queue.

Recommendations For versions prior to 2024010401, update to version 2024010401 or later to resolve the issue. As a temporary workaround, consider restricting access to the MQTT queue to minimize the risk of exploitation.

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798

Related Identifiers

CVE-2024-0390

Affected Products

Izzi Connect

PT-2024-15522 · Inprax · Izzi Connect

CVE-2024-0390

Weakness Enumeration

Related Identifiers

Affected Products

References · 5