Auth bypass in Boschrexroth Ctrlx_hmi_web_panel_wr2107
CVE-2023-45220
The Android Client application, when enrolled with the define method 1(the user manually inserts the server ip address), use HTTP protocol to retrieve sensitive information (ip address and credentials to connect to a remote MQTT broker en…
Vulnerability class: Broken Authentication
EPSS: 0.004 (31.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Boschrexroth Ctrlx_hmi_web_panel_wr2107
- Boschrexroth Ctrlx_hmi_web_panel_wr2107_firmware
- Boschrexroth Ctrlx_hmi_web_panel_wr2110
- Boschrexroth Ctrlx_hmi_web_panel_wr2110_firmware
- Boschrexroth Ctrlx_hmi_web_panel_wr2115
- Boschrexroth Ctrlx_hmi_web_panel_wr2115_firmware
- Rexroth Ctrlx Hmi Web Panel - Wr21 (Wr2107) — versions all
- Rexroth Ctrlx Hmi Web Panel - Wr21 (Wr2110) — versions all
- Rexroth Ctrlx Hmi Web Panel - Wr21 (Wr2115) — versions all
Weakness classification (CWE)
References
- psirt@bosch.com (vendor-advisory, Mitigation, Vendor Advisory)
Frequently asked questions
- What is CVE-2023-45220?
- CVE-2023-45220 is a high-severity vulnerability in Boschrexroth Ctrlx_hmi_web_panel_wr2107, classified under Missing Authentication for Critical Function. CVSS score: 8.8/10. Published 2023-10-25.
- How severe is CVE-2023-45220?
- High severity. CVSS v3 base score is 8.8 out of 10.