CVE-2024-46874

Name of the Vulnerable Software and Affected Versions Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x

Description The issue is related to the incorrect handling of insufficient permissions or privileges in the Ruijie Reyee OS MQTT broker. This could allow attackers with device credentials to send unauthorized commands to other devices on behalf of Ruijie's cloud by sending messages to some topics. Attackers with device credentials could issue commands to other devices, posing a serious cybersecurity risk.

Recommendations For Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x, consider disabling the MQTT client functionality until a patch is available to prevent attackers from sending unauthorized commands. Restrict access to device credentials to minimize the risk of exploitation. Avoid using device credentials to send messages to sensitive topics until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.