Login Sign Up

CVE-2023-46892

8.8 HIGH

📋 TL;DR

The Meross MSH30Q thermostat's radio frequency communication protocol is vulnerable to replay attacks, allowing attackers to record legitimate commands and replay them to execute unauthorized actions like changing temperature settings. This affects users of the MSH30Q thermostat with vulnerable firmware. Attackers within radio range can exploit this without authentication.

💻 Affected Systems

Products:
  • Meross MSH30Q Smart Thermostat
Versions: 4.5.23
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running this firmware version are vulnerable by default. The vulnerability is in the RF communication protocol implementation.

📦 What is this software?

Msh30q Firmware by Meross

View all CVEs affecting Msh30q Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate thermostat settings to cause physical damage (e.g., extreme temperature changes damaging property), create safety hazards, or disrupt HVAC systems in critical environments.

🟠

Likely Case

Unauthorized temperature adjustments causing discomfort, energy waste, or minor property damage in residential settings.

🟢

If Mitigated

Limited impact if device is isolated from radio access or patched, though physical proximity attacks remain possible.

🌐 Internet-Facing: LOW
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires physical proximity to capture RF signals. No authentication is needed to replay commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not publicly available

Restart Required: No

Instructions:

Check Meross support for firmware updates. If available, update through the Meross app: 1. Open Meross app 2. Select device 3. Check for firmware updates 4. Apply update if available.

🔧 Temporary Workarounds

Physical Isolation

all

Place device in location with limited RF signal access to reduce attack surface.

Network Segmentation

all

Isolate thermostat on separate network segment to limit potential lateral movement if compromised.

🧯 If You Can't Patch

  • Disable RF communication if possible through device settings
  • Monitor for unusual temperature changes and implement physical security controls

🔍 How to Verify

Check if Vulnerable:

Check firmware version in Meross app: Device Settings > About. If version is 4.5.23, device is vulnerable.

Check Version:

Not applicable - check through Meross mobile app interface

Verify Fix Applied:

Verify firmware version has changed from 4.5.23 to a newer version in the Meross app.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected temperature setting changes in thermostat logs
  • Multiple rapid command executions

Network Indicators:

  • Unusual RF signal patterns near device (requires specialized RF monitoring equipment)

SIEM Query:

Not applicable - primarily physical/RF based attack

📊 Metadata

CVE ID: CVE-2023-46892
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-294
Published: January 23, 2024
Last Updated: June 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46892, you might also want to check these:

CVE-2025-49752 10.0

CVE-2025-49752 is an elevation of privilege vulnerability in Azure Bastion that allows authenticated...

Same vulnerability type (CWE-294)
CVE-2022-29334 9.8

CVE-2022-29334 is an authentication bypass vulnerability in H v1.0 that allows attackers to gain una...

Same vulnerability type (CWE-294)
CVE-2018-17932 9.8

CVE-2018-17932 affects JUUKO K-800 industrial control devices, allowing attackers to replay commands...

Same vulnerability type (CWE-294)