← Back to CVEs
CVE-2023-45852
CRITICAL9.8
Description
In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published10/14/2023
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
viessmann:vitogate_300viessmann:vitogate_300_firmware
Weaknesses (CWE)
CWE-77
References
https://connectivity.viessmann.com/gb/mp-fp/vitogate/vitogate-300-bn-mb.html(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Push3AX/vul/blob/main/viessmann/Vitogate300_RCE.md(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.