An unauthenticated remote attacker can execute OS commands via UDP on the device due to missing authentication.
The vulnerability results from the lack of required authentication (CWE-306) for a function accepting commands via UDP. An attacker with network access to the device can send crafted UDP packets containing system commands, which are executed directly by the device's operating system. The attack vector is network-based and does not require user interaction or prior system access.
An attacker can gain full control over the device by executing arbitrary operating system commands, resulting in violations of confidentiality, integrity, and system availability. In the context of industrial devices (industrial gateway/router), this can lead to disruption of operational processes or use of the device as an entry point to the OT network.
Patches available from the manufacturer should be applied according to the references (https://cert.vde.com/en/advisories/VDE-2024-056 and https://cert.vde.com/en/advisories/VDE-2024-066). As a temporary measure, it is recommended to restrict network access to devices through a firewall or network segmentation and block unauthorized UDP traffic to these devices.
Mbconnectline Mbnet.Mini devices (firmware) and Helmholz Rex 100 devices (firmware) — specific versions indicated in the manufacturer's references (CERT VDE advisories VDE-2024-056 and VDE-2024-066)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HHelmholz Rex 100
HWHelmholzwszystkie wersjeHelmholz Rex 100 Firmware
OSHelmholz< 2.3.1Mbconnectline Mbnet.mini
HWMbconnectlinewszystkie wersjeMbconnectline Mbnet.mini Firmware
OSMbconnectline< 2.3.1
Related vulnerabilities
Zakodowane na stałe dane logowe w urządzeniach Mbconnectline i Helmholz
A high privileged remote attacker can execute arbitrary system commands via GET requests in the cloud server c...
A high privileged remote attacker can execute arbitrary system commands via POST requests in the diagnostic ac...
A high privileged remote attacker can execute arbitrary system commands via POST requests in the send_sms acti...
An unauthenticated remote attacker can get read access to files in the "/tmp" directory due to missing authent...