CVE-2021-3774 – The Meross Smart Wi-Fi 2 Way Wall Switch (MSS55... (How to Fix)

Q: What is the severity of CVE-2021-3774?

CVE-2021-3774 has a CVSS score of 7.4 (HIGH). The Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X) creates an open Wi-Fi access point without encryption during initial setup, allowing remote attackers to intercept Wi-Fi credentials transmitted in plain HTTP/JSON. This affects users of version 3.1.3 and earlier who are configuring the device. Attackers can capture the SSID and password configured through the Meross app.

📋 TL;DR

The Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X) creates an open Wi-Fi access point without encryption during initial setup, allowing remote attackers to intercept Wi-Fi credentials transmitted in plain HTTP/JSON. This affects users of version 3.1.3 and earlier who are configuring the device. Attackers can capture the SSID and password configured through the Meross app.

💻 Affected Systems

Products:

Meross Smart Wi-Fi 2 Way Wall Switch MSS550X

Versions: 3.1.3 and earlier

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists during initial setup when device creates open AP. After configuration, device connects to user's Wi-Fi and vulnerability window closes.

📦 What is this software?

Mss550x Firmware by Meross

View all CVEs affecting Mss550x Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker obtains home/office Wi-Fi credentials, gains network access, and potentially compromises other devices on the network.

🟠

Likely Case

Local attacker within Wi-Fi range captures credentials during device setup, gaining unauthorized network access.

🟢

If Mitigated

With proper network segmentation and monitoring, impact limited to isolated IoT network segment.

🌐 Internet-Facing: LOW (requires physical proximity to device's Wi-Fi signal during setup)

🏢 Internal Only: MEDIUM (once on network, attacker could pivot to other devices)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires being within Wi-Fi range during setup phase. Attack involves intercepting HTTP/JSON traffic from Meross app to device.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.1.3

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/meross-mss550x-missing-encryption-sensitive-data

Restart Required: Yes

Instructions:

1. Open Meross app 2. Check for firmware updates 3. Apply any available updates 4. Reboot device after update

🔧 Temporary Workarounds

Secure setup environment

all

Configure device in physically secure location away from potential attackers

Temporary network isolation

all

Set up device on isolated guest network first, then move to main network

🧯 If You Can't Patch

Replace device with updated model or different vendor
Place device on isolated IoT VLAN with strict firewall rules

🔍 How to Verify

Check if Vulnerable:

Check device firmware version in Meross app. If version is 3.1.3 or earlier, device is vulnerable during setup.

Check Version:

Not applicable - check via Meross mobile app interface

Verify Fix Applied:

Confirm firmware version is higher than 3.1.3 in Meross app settings.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to device during setup phase
Multiple failed connection attempts from unknown devices

Network Indicators:

Open Wi-Fi AP with Meross/MSS550X in SSID name
Plain HTTP traffic containing SSID/password fields

SIEM Query:

Not applicable - primarily physical/local network detection

📊 Metadata

CVE ID: CVE-2021-3774

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CWE: CWE-319

Published: November 5, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3774, you might also want to check these: