Strix
26.1K

CVE-2023-46889

MEDIUMCVSS 5.7/10EPSS 0.17%

Last modified

CVE-2023-46889 is a medium-severity vulnerability rated 5.7/10 on the CVSS scale. Meross MSH30Q 4.5.23 is vulnerable to Cleartext Transmission of Sensitive Information. During the device setup phase, the MSH30Q creates an unprotected Wi-Fi access point. EPSS estimates a 0.17% chance of exploitation in the next 30 days.

Description

Meross MSH30Q 4.5.23 is vulnerable to Cleartext Transmission of Sensitive Information. During the device setup phase, the MSH30Q creates an unprotected Wi-Fi access point. In this phase, MSH30Q needs to connect to the Internet through a Wi-Fi router. This is why MSH30Q asks for the Wi-Fi network name (SSID) and the Wi-Fi network password. When the user enters the password, the transmission of the Wi-Fi password and name between the MSH30Q and mobile application is observed in the Wi-Fi network. Although the Wi-Fi password is encrypted, a part of the decryption algorithm is public so we complemented the missing parts to decrypt it.

Metrics

CVSS 3.1
5.7/10

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS Probability
0.17%

6.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
MerossMsh30q Firmware4.5.23

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-46889?
Meross MSH30Q 4.5.23 is vulnerable to Cleartext Transmission of Sensitive Information. During the device setup phase, the MSH30Q creates an unprotected Wi-Fi access point. In this phase, MSH30Q needs to connect to the Internet through a Wi-Fi router. This is why MSH30Q asks for the Wi-Fi network name (SSID) and the Wi-Fi network password. When the user enters the password, the transmission of the Wi-Fi password and name between the MSH30Q and mobile application is observed in the Wi-Fi network. Although the Wi-Fi password is encrypted, a part of the decryption algorithm is public so we complemented the missing parts to decrypt it.
How severe is CVE-2023-46889?
CVE-2023-46889 has a CVSS score of 5.7/10 (MEDIUM severity). The EPSS model estimates a 0.17% probability of exploitation in the next 30 days.
How do I fix CVE-2023-46889?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-46889?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST