CVE-2018-15476
Last modified
CVE-2018-15476 is a vulnerability of currently unknown severity. An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. The SSL/TLS server certificate in the device to cloud communication was not verified by the device. EPSS estimates a 0.76% chance of exploitation in the next 30 days.
Description
An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. The SSL/TLS server certificate in the device to cloud communication was not verified by the device. As a result, an attacker in control of the network traffic of a device could have taken control of a device by intercepting and modifying commands issued from the server to the device in a Man-in-the-Middle attack. This included the ability to inject firmware update commands into the communication and cause the device to install maliciously modified firmware.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mystrom | Wifi Switch Firmware | < 2.66 |
| Mystrom | Wifi Switch Firmware | < 3.80 |
| Mystrom | Wifi Button Plus Firmware | < 2.73 |
| Mystrom | Wifi Button Firmware | < 2.73 |
| Mystrom | Wifi Switch Eu Firmware | < 3.80 |
| Mystrom | Wifi Bulb Firmware | < 2.58 |
| Mystrom | Wifi Led Strip Firmware | < 3.80 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-15476?
How severe is CVE-2018-15476?
How do I fix CVE-2018-15476?
Are you affected by CVE-2018-15476?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST