CVE-2018-15479

An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. Devices did not authenticate themselves to the cloud in device to cloud communication. This lack of device authentication allowed an attacker to impersonate any device by guessing or learning their MAC address.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
VendorProductVersion
mystromwifi_switch_firmware
𝑥
< 2.66
mystromwifi_switch_firmware
𝑥
< 3.80
mystromwifi_button_plus_firmware
𝑥
< 2.73
mystromwifi_button_firmware
𝑥
< 2.73
mystromwifi_switch_eu_firmware
𝑥
< 3.80
mystromwifi_bulb_firmware
𝑥
< 2.58
mystromwifi_led_strip_firmware
𝑥
< 3.80
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/cve-2018-15476ff.txt
https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/cve-2018-15476ff.txt