#VU82528 Improper access control in Sielco products - CVE-2023-45228

Cybersecurity Help s.r.o.

Published: 2023-10-27

Vulnerability identifier: #VU82528

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-45228

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vendor: Sielco

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions when editing users. A remote user can send a single HTTP POST request with modified parameters and manipulate users, passwords and permissions.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Analog FM transmitter EXC5000GX: 2.06 - 2.12

Analog FM transmitter EXC120GX: 2.12

Analog FM transmitter EXC300GX: 2.11

Analog FM transmitter EXC1600GX: 2.08 - 2.10

Analog FM transmitter EXC2000GX: 2.10

Analog FM transmitter EXC1000GX: 2.08

Analog FM transmitter EXC3000GX: 2.07

Analog FM transmitter EXC30GT: 1.7.7

Analog FM transmitter EXC300GT: 1.7.4

Analog FM transmitter EXC100GT: 1.7.4

Analog FM transmitter EXC5000GT: 1.7.4

Analog FM transmitter EXC1000GT: 1.6.3

Analog FM transmitter: EXC120GT: 1.5.4

Radio Link RTX19: 1.59 - 2.06

Radio Link EXC19: 1.55 - 2.00

External links
https://www.sielco.org/en/contacts
https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-08

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Sielco Radio Link and Analog FM Transmitters