CVE-2023-32346

2023-05-2215:15:09

CWE-204

[email protected]

web.nvd.nist.gov

teltonika

remote management system

cve-2023-32346

unauthorized access

information disclosure

security vulnerability

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.2 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.4%

JSON

Teltonika’s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. This function returns information based on whether the serial number of a device has already been claimed, the MAC address of a device has already been claimed, or whether the attempt to claim a device was successful. An attacker could exploit this to create a list of the serial numbers and MAC addresses of all devices cloud-connected to the Remote Management System.

Affected configurations

NVD

Node

teltonikaremote_management_systemRange<4.10.0

CPENameOperatorVersion
teltonika:remote_management_systemteltonika remote management systemlt4.10.0

CPE	Name	Operator	Version
teltonika:remote_management_system	teltonika remote management system	lt	4.10.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Remote Management System",
    "vendor": "Teltonika",
    "versions": [
      {
        "lessThan": "4.10.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]