CVE-2023-6259
📋 TL;DR
This vulnerability in Brivo ACS100 and ACS300 access control systems allows attackers to bypass password recovery protections and gain unauthorized access. It enables exploitation of insufficient credential protection and improper access controls, potentially compromising physical security. Systems running firmware from version 5.2.4 up to (but not including) 6.2.4.3 are affected.
💻 Affected Systems
- Brivo ACS100
- Brivo ACS300
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete physical security bypass allowing unauthorized entry to secured facilities, credential theft, and potential system takeover.
Likely Case
Unauthorized access to physical locations, credential compromise, and potential privilege escalation within the access control system.
If Mitigated
Limited impact with proper network segmentation and monitoring, but physical security could still be compromised if systems are directly accessible.
🎯 Exploit Status
The vulnerability involves password recovery exploitation which typically requires minimal technical skill to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.4.3
Vendor Advisory: https://support.brivo.com/l/en/article/g82txdwepa-brivo-firmware-release-notes#brivo_firmware_release_6_2_4_3
Restart Required: Yes
Instructions:
1. Download firmware version 6.2.4.3 from Brivo support portal. 2. Backup current configuration. 3. Upload and install the new firmware via the web interface. 4. Reboot the device. 5. Verify the firmware version after reboot.
🔧 Temporary Workarounds
Network Isolation
allIsolate Brivo systems from untrusted networks and internet access to prevent remote exploitation.
Enhanced Monitoring
allImplement strict monitoring of authentication and password recovery attempts on Brivo systems.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Brivo systems from untrusted networks
- Enable detailed logging and monitoring for all authentication and password recovery attempts
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface: Login > System > About. If version is between 5.2.4 and 6.2.4.2 inclusive, system is vulnerable.Check Version:
No CLI command available. Use web interface: System > About to view firmware version.Verify Fix Applied:
After patching, verify firmware version shows 6.2.4.3 or higher in System > About page.📡 Detection & Monitoring
Log Indicators:
- Multiple failed password recovery attempts
- Successful password recovery from unusual IP addresses
- Authentication attempts from new or unexpected locations
Network Indicators:
- Unusual network traffic to Brivo systems from external sources
- Multiple HTTP requests to password recovery endpoints
SIEM Query:
source="brivo" AND (event_type="password_recovery" OR event_type="authentication") AND result="success" AND src_ip NOT IN [trusted_ips]