CVE-2024-33897
Severity CVSS v4.0:
Pending analysis
Type:
CWE-425
Direct Request ('Forced Browsing')
Publication date:
06/08/2024
Last modified:
10/10/2024
Description
A compromised HMS Networks Cosy+ device could be used to request a Certificate Signing Request from Talk2m for another device, resulting in an availability issue. The issue was patched on the Talk2m production server on April 18, 2024.
Impact
Base Score 3.x
9.10
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:hms-networks:ewon_cosy\+_firmware:*:*:*:*:*:*:*:* | 21.0s0 (including) | 21.2s10 (excluding) |
| cpe:2.3:o:hms-networks:ewon_cosy\+_firmware:*:*:*:*:*:*:*:* | 22.0s0 (including) | 22.1s3 (excluding) |
| cpe:2.3:h:hms-networks:ewon_cosy\+_4g_apac:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:hms-networks:ewon_cosy\+_4g_eu:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:hms-networks:ewon_cosy\+_4g_jp:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:hms-networks:ewon_cosy\+_4g_na:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:hms-networks:ewon_cosy\+_ethernet:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:hms-networks:ewon_cosy\+_wifi:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/
- https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf
- https://www.ewon.biz/products/cosy/ewon-cosy-wifi
- https://www.hms-networks.com/cyber-security