CVE-2023-45851

Summary

The Android Client application, when enrolled to the AppHub server,connects to an MQTT broker without enforcing any server authentication. 

This issue allows an attacker to force the Android Client application to connect to a malicious MQTT broker, enabling it to send fake messages to the HMI device

Affected Software

VendorProductVersion RangeStatus
Bosch Rexroth AGctrlX HMI Web Panel - WR21 (WR2107)allaffected
Bosch Rexroth AGctrlX HMI Web Panel - WR21 (WR2110)allaffected
Bosch Rexroth AGctrlX HMI Web Panel - WR21 (WR2115)allaffected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References