ICSA-23-012-03 · Published 2023-01-12 · View on CISA ICS-CERT ↗

InHand Networks InRouter

CVSS 10.0 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow a message queuing telemetry transport (MQTT) command injection, unauthorized disclosure of sensitive device information, and remote code execution. If properly chained, these vulnerabilities could result in an unauthorized remote user fully compromising every cloud-managed InHand Networks device reachable by the cloud.

CVEs (5)

CVE-2023-22597 CVE-2023-22598 CVE-2023-22599 CVE-2023-22600 CVE-2023-22601

Remediations

InRouter302: users should update firmware to IR302 V3.5.56 or later
InRouter615: users should update firmware to InRouter6XX-S-V2.3.0.r5542 or later
To access the updates, users should go to “Documentation → Firmware” on the product page.

Affected Vendors

InHand Networks

Affected Products (2)

InHand Networks · InRouter 615 < InRouter6XX-S-V2.3.0.r5542

InHand Networks · InRouter 302 < IR302 3.5.56

Affected Sectors

Energy, Critical Manufacturing, Transportation, Healthcare

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more