Strix
26.1K

CVE-2018-15478

UnknownEPSS 0.86%

Last modified

CVE-2018-15478 is a vulnerability of currently unknown severity. An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. The process of registering a device with a cloud account was based on an activation code derived from the device MAC address. EPSS estimates a 0.86% chance of exploitation in the next 30 days.

Description

An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. The process of registering a device with a cloud account was based on an activation code derived from the device MAC address. By guessing valid MAC addresses or using MAC addresses printed on devices in shops and reverse engineering the protocol, an attacker would have been able to register previously unregistered devices to their account. When the rightful owner would have connected them after purchase to their WiFi network, the devices would not have registered with their account, would subsequently not have been controllable from the owner's mobile app, and would not have been visible in the owner's account. Instead, they would have been under control of the attacker.

Metrics

EPSS Probability
0.86%

53.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
MystromWifi Switch Firmware< 2.66
MystromWifi Switch Firmware< 3.80
MystromWifi Button Plus Firmware< 2.73
MystromWifi Button Firmware< 2.73
MystromWifi Switch Eu Firmware< 3.80
MystromWifi Bulb Firmware< 2.58
MystromWifi Led Strip Firmware< 3.80

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2018-15478?
An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. The process of registering a device with a cloud account was based on an activation code derived from the device MAC address. By guessing valid MAC addresses or using MAC addresses printed on devices in shops and reverse engineering the protocol, an attacker would have been able to register previously unregistered devices to their account. When the rightful owner would have connected them after purchase to their WiFi network, the devices would not have registered with their account, would subsequently not have been controllable from the owner's mobile app, and would not have been visible in the owner's account. Instead, they would have been under control of the attacker.
How severe is CVE-2018-15478?
Severity scoring for CVE-2018-15478 is pending analysis. The EPSS model estimates a 0.86% probability of exploitation in the next 30 days.
How do I fix CVE-2018-15478?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-15478?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST