Vulnerability identifier: #VU71416
Vulnerability risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-294
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
XY-WFTX Wifi Remote Thermostat Module Temperature Controller
Hardware solutions /
Other hardware appliances
Vendor: Sinilink
Description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to authentication bypass by capture-replay. A remote attacker can control the onboard relay without requiring authentication via the mobile application.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
XY-WFTX Wifi Remote Thermostat Module Temperature Controller: 1.3.6
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.