Login Sign Up

CVE-2023-49617

10.0 CRITICAL
Authentication Bypass

📋 TL;DR

The MachineSense API lacks authentication controls, allowing remote attackers to access and modify sensitive information without credentials. This affects all systems running vulnerable MachineSense software with exposed APIs.

💻 Affected Systems

Products:
  • MachineSense API
Versions: All versions prior to patched release (specific version unknown from provided data)
Operating Systems: Unknown - likely various industrial/embedded systems
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any deployment where MachineSense API is accessible without authentication controls.

📦 What is this software?

Feverwarn Firmware by Machinesense

View all CVEs affecting Feverwarn Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of connected industrial control systems, unauthorized control of machinery, data theft, and potential physical damage to industrial processes.

🟠

Likely Case

Unauthorized access to sensitive operational data, configuration tampering, and potential disruption of monitoring systems.

🟢

If Mitigated

Limited impact if API is isolated behind network segmentation and access controls, though vulnerability remains present.

🌐 Internet-Facing: HIGH - Directly exposed APIs can be exploited by any internet-connected attacker without authentication.
🏢 Internal Only: HIGH - Even internally, any user or compromised system on the network can exploit this without authentication.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

No authentication required makes exploitation trivial for anyone with network access to the API.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown from provided references - check vendor advisory

Vendor Advisory: https://machinesense.com/pages/about-machinesense

Restart Required: Yes

Instructions:

1. Contact MachineSense vendor for patched version. 2. Apply vendor-provided update. 3. Restart affected systems. 4. Verify authentication is now required for API access.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate MachineSense API behind firewall with strict access controls

API Gateway with Authentication

all

Place reverse proxy with authentication in front of vulnerable API

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate MachineSense systems from untrusted networks
  • Deploy web application firewall with authentication requirements for API endpoints

🔍 How to Verify

Check if Vulnerable:

Attempt to access MachineSense API endpoints without authentication - if successful, system is vulnerable.

Check Version:

Check MachineSense documentation or contact vendor for version verification method.

Verify Fix Applied:

Verify authentication is now required for all API endpoints and test with invalid credentials.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated API access attempts
  • Unusual API request patterns
  • Configuration changes via API

Network Indicators:

  • Direct API calls without authentication headers
  • Unusual traffic to MachineSense API ports

SIEM Query:

source_ip=* AND destination_port=(MachineSense_API_port) AND NOT authentication_header=*

📊 Metadata

CVE ID: CVE-2023-49617
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-306
Published: February 1, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49617, you might also want to check these:

CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)
CVE-2025-58083 10.0

The General Industrial Controls Lynx+ Gateway has a critical authentication bypass vulnerability in ...

Same vulnerability type (CWE-306)