Login Sign Up

CVE-2024-0390

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

The INPRAX 'iZZi connect' Android application contains hard-coded MQTT queue credentials that are shared with physical recuperation devices. This allows attackers to gain unauthorized access to manage and read parameters of the 'reQnet iZZi' recuperation units. This affects all users of 'iZZi connect' Android app versions before 2024010401.

💻 Affected Systems

Products:
  • INPRAX iZZi connect Android application
  • reQnet iZZi recuperation units
Versions: All versions before 2024010401
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration. Physical recuperation devices using the same MQTT queue credentials are also affected.

📦 What is this software?

Izzi Connect by Inprax

View all CVEs affecting Izzi Connect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of connected recuperation units allowing attackers to manipulate device parameters, potentially causing physical damage or safety hazards, and accessing sensitive operational data.

🟠

Likely Case

Unauthorized monitoring of device parameters and potential manipulation of non-critical settings, leading to privacy violations and operational interference.

🟢

If Mitigated

Limited impact if devices are isolated from internet access and MQTT traffic is restricted to internal networks only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires access to the hard-coded credentials which are embedded in the application. No authentication needed once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024010401

Vendor Advisory: https://cert.pl/en/posts/2024/02/CVE-2024-0390/

Restart Required: Yes

Instructions:

1. Update 'iZZi connect' Android app to version 2024010401 or later via Google Play Store. 2. Ensure connected recuperation units are updated if applicable. 3. Restart both application and devices after update.

🔧 Temporary Workarounds

Network Isolation

all

Isolate recuperation devices and MQTT traffic from internet access

MQTT Credential Rotation

all

Change MQTT queue credentials on all affected devices

🧯 If You Can't Patch

  • Disconnect recuperation units from network entirely
  • Implement strict network segmentation to isolate MQTT traffic

🔍 How to Verify

Check if Vulnerable:

Check app version in Android settings. If version is earlier than 2024010401, system is vulnerable.

Check Version:

Not applicable - check via Android app settings

Verify Fix Applied:

Confirm app version is 2024010401 or later in Android app settings.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized MQTT connections to recuperation device queues
  • Unexpected parameter changes in device logs

Network Indicators:

  • MQTT traffic from unexpected sources
  • Unusual patterns in MQTT protocol communications

SIEM Query:

source="mqtt" AND (event_type="connection" OR event_type="publish") AND NOT src_ip IN [authorized_ips]

📊 Metadata

CVE ID: CVE-2024-0390
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-798
Published: February 15, 2024
Last Updated: March 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0390, you might also want to check these:

CVE-2025-20188 10.0

This critical vulnerability in Cisco IOS XE Wireless LAN Controllers allows unauthenticated remote a...

Same vulnerability type (CWE-798)
CVE-2026-22769 10.0

Dell RecoverPoint for Virtual Machines versions before 6.0.3.1 HF1 contain hardcoded credentials tha...

Same vulnerability type (CWE-798)
CVE-2021-0248 10.0

This vulnerability involves hard-coded credentials in Juniper Junos OS on NFX Series devices, allowi...

Same vulnerability type (CWE-798)