CVE-2024-8890
📋 TL;DR
CVE-2024-8890 allows attackers on the same network as vulnerable CIRCUTOR Q-SMT devices to intercept credentials and hijack sessions because the device only uses HTTP without encryption. This affects organizations using CIRCUTOR Q-SMT version 1.0.4 for power monitoring and management. Attackers can gain unauthorized access to device administration interfaces.
💻 Affected Systems
- CIRCUTOR Q-SMT
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full device compromise allowing attackers to manipulate power monitoring data, disrupt operations, or use the device as a foothold into industrial control networks.
Likely Case
Credential theft and unauthorized access to device configuration, potentially leading to data manipulation or service disruption.
If Mitigated
Limited to network reconnaissance if proper segmentation and monitoring are in place.
🎯 Exploit Status
Exploitation requires network access but uses standard HTTP interception techniques. No authentication bypass needed once credentials are captured.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products
Restart Required: No
Instructions:
No official patch available. Monitor CIRCUTOR for firmware updates. Consider workarounds or replacement if security is critical.
🔧 Temporary Workarounds
Network Segmentation
allIsolate CIRCUTOR Q-SMT devices on separate VLANs with strict access controls
Reverse Proxy with HTTPS
linuxPlace device behind a reverse proxy that terminates HTTPS and forwards HTTP internally
# Example nginx config:
server {
listen 443 ssl;
server_name device.example.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
location / {
proxy_pass http://circutor-ip:port;
proxy_set_header Host $host;
}
}
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to authorized management stations only
- Deploy network monitoring to detect credential interception attempts and unauthorized access
🔍 How to Verify
Check if Vulnerable:
Check device web interface URL - if it starts with http:// and not https://, and firmware version is 1.0.4, device is vulnerableCheck Version:
Check device web interface or serial console for firmware version informationVerify Fix Applied:
Verify HTTPS is enforced and HTTP traffic is blocked. Check for firmware updates from vendor.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from unusual IPs
- Successful logins from unexpected locations or times
- Configuration changes not performed by authorized personnel
Network Indicators:
- HTTP traffic to device on unusual ports
- ARP spoofing or MITM activity near device network segment
- Unencrypted HTTP traffic containing login credentials
SIEM Query:
source_ip IN (device_management_ips) AND (protocol="HTTP" AND (uri CONTAINS "login" OR uri CONTAINS "session"))