CVE-2023-37822
Last modified
CVE-2023-37822 is a high-severity vulnerability rated 8.2/10 on the CVSS scale. The Eufy Homebase 2 before firmware version 3.3.4.1h creates a dedicated wireless network for its ecosystem, which serves as a proxy to the end user's primary network. The WPA2-PSK generation of this dedicated network is flawed and solely based on the serial number. EPSS estimates a 0.28% chance of exploitation in the next 30 days.
Description
The Eufy Homebase 2 before firmware version 3.3.4.1h creates a dedicated wireless network for its ecosystem, which serves as a proxy to the end user's primary network. The WPA2-PSK generation of this dedicated network is flawed and solely based on the serial number. Due to the flawed generation process, the WPA2-PSK can be brute forced offline within seconds. This vulnerability allows an attacker in proximity to the dedicated wireless network to gain unauthorized access to the end user's primary network. The only requirement of the attack is proximity to the dedicated wireless network.
Metrics
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Eufy | Homebase 2 Firmware | < 3.3.4.1h |
References
- http://anker.comProduct
- http://eufy.comProduct
- https://www.usenix.org/conference/woot24/presentation/goemanTechnical Description
- https://www.usenix.org/system/files/woot24-goeman.pdfTechnical Description
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-37822?
How severe is CVE-2023-37822?
How do I fix CVE-2023-37822?
Are you affected by CVE-2023-37822?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST