Critical Vulnerability Affecting InHand Networks InRouters

Published on 17 Jan 2023

Updated on 17 Jan 2023

Security researchers have discovered an improper access control vulnerability (CVE-2023-22600) affecting InHand Network Inrouters. The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 10 out of 10.

Successful exploitation of the vulnerability could allow unauthenticated devices to subscribe to message queuing telemetry transport (MQTT) topics on the same network as the device manager. An attacker with prior knowledge of the topics could send and receive messages to and from an existing topic and perform command or code execution and information disclosure.

The following versions of InRouters are affected:

  • InRouter 302: All versions prior to IR302 V3.5.56
  • InRouter 615: All versions prior to InRouter6XX-S-V2.3.0.r5542

 

Administrators and users are advised to upgrade affected devices to the following firmware versions immediately:

  • InRouter302 firmware to IR302 V3.5.56 or later
  • InRouter615 firmware to InRouter6XX-S-V2.3.0.r5542 or later

 

More information is available here:

https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03