Misconfiguration in Connected IO v2.1.0 and prior allows unauthorized device command impersonation

Misconfiguration in Connected IO v2.1.0 and prior allows unauthorized device command impersonation

CVE-2023-33379 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Connected IO v2.1.0 and prior has a misconfiguration in their MQTT broker used for management and device communication, which allows devices to connect to the broker and issue commands to other device, impersonating Connected IO management platform and sending commands to all of Connected IO's devices.

Learn more about our Web Application Penetration Testing UK.