Unauthenticated Remote Attacker Can Read Memory Out of Bounds Due to Input Validation Flaw in MQTT Stack
CVE-2024-26000

5.9MEDIUM

Key Information:

Vendor: Phoenix Contact
Status: Charx Sec-3000; Charx Sec-3050; Charx Sec-3100; Charx Sec-3150
Vendor: CVE Published:; 12 March 2024

Summary

The vulnerability in the MQTT stack allows unauthenticated remote attackers to read memory out of bounds due to improper input validation. Although attempts at brute force attacks may not consistently succeed due to memory randomization, the risk remains significant, potentially exposing sensitive information.

Affected Version(s)

CHARX SEC-3000 0 <= 1.5.0

CHARX SEC-3050 0 <= 1.5.0

CHARX SEC-3100 0 <= 1.5.0

References

https://cert.vde.com/en/advisories/VDE-2024-011

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 12, 2024
Vulnerability Reserved
Feb 14, 2024

Credit

Peter Geissler

Rick De Jager

Carlo Meijer