Lucene search

[email protected]NVD:CVE-2022-43704

HistoryJan 20, 2023 - 5:15 p.m.

CVE-2022-43704

2023-01-2017:15:10

CWE-294

[email protected]

web.nvd.nist.gov

sinilink xy-wft1

wifi

remote thermostat

firmware 1.3.6

mqtt

sinilink521 protocol

udp

attack

authentication

mobile application

temperature.

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

5.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.0%

JSON

The Sinilink XY-WFT1 WiFi Remote Thermostat, running firmware 1.3.6, allows an attacker to bypass the intended requirement to communicate using MQTT. It is possible to replay Sinilink aka SINILINK521 protocol (udp/1024) commands interfacing directly with the target device. This, in turn, allows for an attack to control the onboard relay without requiring authentication via the mobile application. This might result in an unacceptable temperature within the target device’s physical environment.

Affected configurations

NVD

Node

sinilinkxy-wft1Match-

AND

sinilinkxy-wft1_firmwareMatch1.3.6

References

www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2022-43704-capture-replay-vulnerability-in-sinilink-xy-wft1-thermostat/

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

5.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.0%

JSON

Related for NVD:CVE-2022-43704

cve1 prion1 cvelist1 githubexploit1