CVE-2024-41161

Summary

Use of hard-coded credentials vulnerability affecting Vonets industrial wifi bridge relays and wifi bridge repeaters, software versions 3.3.23.6.9 and prior, enables an unauthenticated remote attacker to bypass authentication using hard-coded administrator credentials. These accounts cannot be disabled.

Affected Software

VendorProductVersion RangeStatus
VonetsVAR1200-H0 <= 3.3.23.6.9affected
VonetsVAR1200-L0 <= 3.3.23.6.9affected
VonetsVAR600-H0 <= 3.3.23.6.9affected
VonetsVAP11AC0 <= 3.3.23.6.9affected
VonetsVAP11G-500S0 <= 3.3.23.6.9affected
VonetsVBG12000 <= 3.3.23.6.9affected
VonetsVAP11S-5G0 <= 3.3.23.6.9affected
VonetsVAP11S0 <= 3.3.23.6.9affected
VonetsVAR11N-3000 <= 3.3.23.6.9affected
VonetsVAP11G-3000 <= 3.3.23.6.9affected
VonetsVAP11N-3000 <= 3.3.23.6.9affected
VonetsVAP11G0 <= 3.3.23.6.9affected
VonetsVAP11G-5000 <= 3.3.23.6.9affected
VonetsVBG12000 <= 3.3.23.6.9affected
VonetsVAP11AC0 <= 3.3.23.6.9affected
VonetsVGA-10000 <= 3.3.23.6.9affected

Weaknesses

  • CWE-798: CWE-798 Use of Hard-coded Credentials

Workarounds

Vonets has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact Vonets support https://usdhs-my.sharepoint.com/personal/grayson_gaylor_associates_cisa_dhs_gov1/_layouts/15/support@vonets.com for additional information.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References