CVE-2023-1748

Summary

The listed versions of Nexx Smart Home devices use hard-coded credentials. An attacker with unauthenticated access to the Nexx Home mobile application or the affected firmware could view the credentials and access the MQ Telemetry Server (MQTT) server and the ability to remotely control garage doors or smart plugs for any customer.

Affected Software

VendorProductVersion RangeStatus
NexxSmart Alarm NXAL-1000 <= nxal100v-p1-9-1affected
NexxSmart Plug NXPG-100W0 <= nxpg100cv4-0-0affected
NexxGarage Door Controller NXG-100B, NXG-2000 <= nxg200v-p3-4-1affected

Weaknesses

  • CWE-798 Use of Hard-coded Credentials

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References