CVE-2023-33372 – Connected IO devices v2.1.0 and earlier contain... (How to Fix)

Q: What is the severity of CVE-2023-33372?

CVE-2023-33372 has a CVSS score of 9.8 (CRITICAL). Connected IO devices v2.1.0 and earlier contain hard-coded MQTT credentials in firmware, allowing attackers to connect to the MQTT broker and impersonate devices. This enables authentication bypass through JWT token manipulation. Organizations using Connected IO routers are affected.

📋 TL;DR

Connected IO devices v2.1.0 and earlier contain hard-coded MQTT credentials in firmware, allowing attackers to connect to the MQTT broker and impersonate devices. This enables authentication bypass through JWT token manipulation. Organizations using Connected IO routers are affected.

💻 Affected Systems

Products:

Connected IO routers

Versions: v2.1.0 and prior

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running affected firmware versions are vulnerable by default.

📦 What is this software?

Connected Io by Connectedio

View all CVEs affecting Connected Io →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover, unauthorized control of IoT infrastructure, data exfiltration, and potential lateral movement to other systems.

🟠

Likely Case

Unauthorized access to device communications, data interception, and potential service disruption through malicious MQTT messages.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though authentication bypass remains possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires obtaining hard-coded credentials, which may be extracted from firmware or discovered through other means.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.2.0 or later

Vendor Advisory: https://www.connectedio.com/products/routers

Restart Required: Yes

Instructions:

1. Contact Connected IO for updated firmware. 2. Backup device configuration. 3. Apply firmware update via management interface. 4. Restart device. 5. Verify new firmware version.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Connected IO devices in separate VLANs with strict firewall rules limiting MQTT traffic.

MQTT Broker Access Control

all

Configure MQTT broker to reject connections using default credentials and implement certificate-based authentication.

🧯 If You Can't Patch

Implement strict network access controls to limit MQTT broker exposure
Monitor MQTT traffic for unauthorized connections and anomalous message patterns

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or CLI. If version is 2.1.0 or earlier, device is vulnerable.

Check Version:

Check via device web interface or manufacturer's management tool

Verify Fix Applied:

Confirm firmware version is 2.2.0 or later and test MQTT authentication with new credentials.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts with default credentials
Unusual MQTT connection patterns
JWT token validation errors

Network Indicators:

MQTT traffic from unexpected sources
Unencrypted MQTT communications
Anomalous message publishing patterns

SIEM Query:

source="mqtt_broker" AND (event="authentication_failure" AND username="default_user") OR (event="connection" AND src_ip NOT IN allowed_ips)

📊 Metadata

CVE ID: CVE-2023-33372

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: August 4, 2023

Last Updated: November 21, 2024

🔗 References

https://claroty.com/team82/disclosure-dashboard/cve-2023-33372 Third Party Advisory
https://www.connectedio.com/products/routers Product
https://claroty.com/team82/disclosure-dashboard/cve-2023-33372 Third Party Advisory
https://www.connectedio.com/products/routers Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33372, you might also want to check these: