CVE-2022-45608 – This vulnerability in ThingsBoard 3.4.1 allows ... (How to Fix)

Q: What is the severity of CVE-2022-45608?

CVE-2022-45608 has a CVSS score of 8.8 (HIGH). This vulnerability in ThingsBoard 3.4.1 allows low-privileged CUSTOMER_USER accounts to escalate privileges to TENANT_ADMIN or SYS_ADMIN roles by exploiting an API parameter. Any organization running the affected version with customer user accounts is vulnerable to complete administrative takeover.

📋 TL;DR

This vulnerability in ThingsBoard 3.4.1 allows low-privileged CUSTOMER_USER accounts to escalate privileges to TENANT_ADMIN or SYS_ADMIN roles by exploiting an API parameter. Any organization running the affected version with customer user accounts is vulnerable to complete administrative takeover.

💻 Affected Systems

Products:

ThingsBoard

Versions: 3.4.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires CUSTOMER_USER account access and knowledge of the vulnerable API parameter.

📦 What is this software?

Thingsboard by Thingsboard

View all CVEs affecting Thingsboard →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the ThingsBoard instance with administrative control, allowing data theft, system manipulation, and further network penetration.

🟠

Likely Case

Privileged attackers gain administrative access to manipulate dashboards, devices, users, and access sensitive IoT data.

🟢

If Mitigated

Limited impact with proper network segmentation, monitoring, and least privilege principles in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access as CUSTOMER_USER and knowledge of the specific API parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.2 or later

Vendor Advisory: http://thingsboard.com

Restart Required: Yes

Instructions:

1. Backup your ThingsBoard instance. 2. Upgrade to version 3.4.2 or later. 3. Restart the ThingsBoard service. 4. Verify the fix by testing privilege escalation attempts.

🔧 Temporary Workarounds

Restrict API Access

all

Implement network controls to restrict access to vulnerable API endpoints from unauthorized users.

Monitor User Activity

all

Implement enhanced logging and monitoring for privilege escalation attempts and administrative actions.

🧯 If You Can't Patch

Implement strict network segmentation to isolate ThingsBoard from critical systems
Remove or disable all CUSTOMER_USER accounts until patching is possible

🔍 How to Verify

Check if Vulnerable:

Check if running ThingsBoard version 3.4.1. Attempt privilege escalation with CUSTOMER_USER account using the known API parameter.

Check Version:

Check ThingsBoard web interface admin panel or review application logs for version information.

Verify Fix Applied:

After upgrading to 3.4.2+, attempt the same privilege escalation - it should fail. Verify version is 3.4.2 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation attempts
CUSTOMER_USER accounts performing administrative actions
API calls with authority parameter manipulation

Network Indicators:

Unusual API requests to user/authority endpoints from customer accounts

SIEM Query:

source="thingsboard" AND (event="privilege_escalation" OR user_role_change OR authority_parameter_manipulation)

📊 Metadata

CVE ID: CVE-2022-45608

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: March 1, 2023

Last Updated: March 7, 2025

🔗 References

http://thingsboard.com Not Applicable
https://wiki.wizard32.net/en/blog/access-control-vulnerability-ThingsBoard
http://thingsboard.com Not Applicable
https://wiki.wizard32.net/en/blog/access-control-vulnerability-ThingsBoard

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-45608, you might also want to check these: