CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2023-37231

CVSS 9.8v3.1pub. 2024-09-10upd. 2025-05-29

Loftware Spectrum before 4.6 HF14 uses a Hard-coded Password.

🤖 AI Analysis
How it works

The Loftware Spectrum application stores a constant, unchanged password in its source code or configuration (CWE-259). An attacker who learns this password — for example, through analysis of binary files or publicly available information — can use it to authenticate to the system without any additional privileges. The attack vector is network-based, does not require user interaction or special conditions, making the vulnerability exceptionally easy to exploit.

Impact

An attacker can gain full, unauthorized access to the Loftware Spectrum system, leading to violations of confidentiality, integrity, and availability of application data and functions.

Mitigation & patch

Loftware Spectrum must be immediately updated to version 4.6 HF14 or later, in accordance with the manufacturer's information available at: https://docs.loftware.com/spectrum-releasenotes/Content/Hotfix/4.6_HF14.htm. Until the patch is deployed, it is recommended to restrict network access to the Loftware Spectrum system exclusively to trusted hosts.

Who is affected

Loftware Spectrum in all versions before 4.6 HF14.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Loftware Spectrum

    APP
    Loftware
    4.6< 4.6
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2023-37227CRITICAL9.8PL ✓ten sam produkt

Niebezpieczna deserializacja danych w Loftware Spectrum przed wersją 4.6 HF13

CVE-2023-37226CRITICAL9.8PL ✓ten sam produkt

Loftware Spectrum — brak uwierzytelnienia dla krytycznej funkcji (Auth Bypass)

CVE-2023-37234CRITICAL9.8PL ✓ten sam produkt

Loftware Spectrum — niezabezpieczony rejestr JMX umożliwia zdalny dostęp

CVE-2023-37233HIGH8.8ten sam produkt

Loftware Spectrum before 4.6 HF14 allows authenticated XXE attacks.

CVE-2023-37230HIGH8.8ten sam produkt

Loftware Spectrum (testDeviceConnection) before 5.1 allows SSRF.