CVE-2023-45851

EUVD-2023-50121
The Android Client application, when enrolled to the AppHub server,connects to an MQTT broker without enforcing any server authentication. 


This issue allows an attacker to force the Android Client application to connect to a malicious MQTT broker, enabling it to send fake messages to the HMI device
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
boschCNA
8.8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
Affected Products (NVD)
VendorProductVersion
boschrexrothctrlx_hmi_web_panel_wr2107_firmware
*
boschrexrothctrlx_hmi_web_panel_wr2110_firmware
*
boschrexrothctrlx_hmi_web_panel_wr2115_firmware
*
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://psirt.bosch.com/security-advisories/BOSCH-SA-175607.html
https://psirt.bosch.com/security-advisories/BOSCH-SA-175607.html