cbcvebase.
CVE-2023-1133
published 2023-03-27

CVE-2023-1133: Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which the Device-status service listens on port 10100/ UDP by…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
50.05%
98.8th percentile
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which the Device-status service listens on port 10100/ UDP by default. The service accepts the unverified UDP packets and deserializes the content, which could allow an unauthenticated attacker to remotely execute arbitrary code.

Affected

2 ranges
VendorProductVersion rangeFixed in
delta_electronicsinfrasuite_device_master< 1.0.51.0.5
deltawwinfrasuite_device_master< 1.0.51.0.5

Detection & IOCsextracted from sources · hover to see the quote

port10100/UDP
processDevice-Gateway-Status
commandBinaryFormatter.Deserialize()
  • Monitor for unexpected UDP traffic on port 10100 destined for InfraSuite Device Master hosts; any unsolicited or unauthenticated packets should be treated as suspicious.
  • Alert on anomalous child processes spawned by the 'Device-Gateway-Status' process, as successful exploitation results in code execution under that process context.
  • Inspect UDP payloads on port 10100 for .NET BinaryFormatter serialized object headers (magic bytes: 0x00 0x01 0x00 0x00 0x00 / NRBF format); presence of these in inbound packets is a strong indicator of exploitation attempts.
  • Focus detection on the 'ParseUDPPacket()' method being invoked with externally-supplied data; network-level inspection of UDP/10100 traffic for serialized .NET objects is the primary detection surface.
  • ·The vulnerable service binds to UDP/10100 by default and requires no authentication, meaning any network-reachable host can trigger deserialization without credentials.
  • ·Affected versions are strictly below 1.0.5; ensure version checks target Delta Electronics InfraSuite Device Master < 1.0.5.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.