CRITICAL🇵🇱 Wersja polska

CVE-2023-48425

CVSS 9.8v3.1pub. 2023-12-11upd. 2025-05-27

U-Boot vulnerability resulting in persistent Code Execution 

🤖 AI Analysis
How it works

The vulnerability affects the U-Boot component — the bootloader responsible for system initialization on Google Chromecast devices. Based on the classified CWE-20, it indicates insufficient validation of input data in this component. Exploiting the vulnerability leads to persistent code execution, meaning that malicious code can survive device restarts. A network attack vector (AV:N) without authentication requirements (PR:N, UI:N) suggests the possibility of remote exploitation of the vulnerability.

Impact

An attacker can gain full control over the device — ensuring the highest level of confidentiality, integrity, and availability of the system, and the executed code can remain permanently on the device even after a restart.

Mitigation & patch

Patches available from the manufacturer should be applied according to references — the Chromecast security bulletin dated 2023-12-01 is available at: https://source.android.com/docs/security/bulletin/chromecast/2023-12-01. Google Chromecast devices typically receive updates automatically, however administrators should verify that devices in the organizational environment have the latest firmware version installed.

Who is affected

Google Chromecast and Google Chromecast firmware software — specific versions indicated in the manufacturer's security bulletin from December 2023 (2023-12-01).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Google Chromecast

    HW
    Google
    wszystkie wersje
  • Google Chromecast Firmware

    OS
    Google
    < 2023-10-01
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2023-48426CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność u-boot w Google Chromecast — dostęp do powłoki przez UART

CVE-2023-48417CRITICAL9.8PL ✓ten sam produkt

Brak sprawdzania uprawnień w aplikacji KeyChainActivity na urządzeniach Google Chromecast

CVE-2023-48424CRITICAL9.8PL ✓ten sam produkt

Privilege escalation poprzez podatność w U-Boot shell na Google Chromecast

CVE-2023-6181CRITICAL9.8PL ✓ten sam produkt

RCE w Google Chromecast — trwałe wykonanie kodu przez błąd BCB

CVE-2018-12716MEDIUM4.3ten sam produkt

The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding atta...