CVE-2023-45851

The Android Client application, when enrolled to the AppHub server,connects to an MQTT broker without enforcing any server authentication. 


This issue allows an attacker to force the Android Client application to connect to a malicious MQTT broker, enabling it to send fake messages to the HMI device
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
boschrexrothctrlx_hmi_web_panel_wr2107_firmware
*
boschrexrothctrlx_hmi_web_panel_wr2110_firmware
*
boschrexrothctrlx_hmi_web_panel_wr2115_firmware
*
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
boschrexrothctrlx_hmi_web_panel_wr2107
𝑥
< RC7(Build date 20231107)
ADP
Common Weakness Enumeration
References
https://psirt.bosch.com/security-advisories/BOSCH-SA-175607.html
https://psirt.bosch.com/security-advisories/BOSCH-SA-175607.html