cbcvebase.
CVE-2023-5222
published 2023-09-27

CVE-2023-5222: A vulnerability classified as critical was found in Viessmann Vitogate 300 up to 2.1.3.0. This vulnerability affects the function isValidUser of the file…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
74.70%
99.4th percentile
A vulnerability classified as critical was found in Viessmann Vitogate 300 up to 2.1.3.0. This vulnerability affects the function isValidUser of the file /cgi-bin/vitogate.cgi of the component Web Management Interface. The manipulation leads to use of hard-coded password. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-240364. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected

5 ranges
VendorProductVersion rangeFixed in
viessmannvitogate_300
viessmannvitogate_300
viessmannvitogate_300
viessmannvitogate_300
viessmannvitogate_300_firmware<= 2.1.3.0

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/vitogate.cgi
otherusername: vitomaster, password: viessmann1917
otherusername: vitogate, password: viessmann
urlhttp://<target>/cgi-bin/vitogate.cgi
commandPOST /cgi-bin/vitogate.cgi HTTP/1.1 Content-Type: application/json {"method":"put","form":"form-login","params":{"uid":"{{username}}","pwd":"{{password}}"}}
command{"method":"put","form":"form-4-7","session":"","params":{"ipaddr":"1;<command>"}}
  • Shodan dork to identify exposed Vitogate 300 devices: http.title:'Vitogate 300'
  • FOFA query to identify exposed Vitogate 300 devices: title="Vitogate 300"
  • Detect authentication attempts using hardcoded credentials (vitomaster/viessmann1917 or vitogate/viessmann) via POST to /cgi-bin/vitogate.cgi with JSON body containing 'form-login'
  • Detect command injection attempts: POST to /cgi-bin/vitogate.cgi with JSON body containing 'form-4-7' and shell metacharacters in the 'ipaddr' parameter (e.g., '1;<command>')
  • Successful exploitation response contains both 'admin":true' and '"sessionId":' in the JSON response body with HTTP 200 and Content-Type application/json
  • ·The exploit targets /cgi-bin/vitogate.cgi on port 80 by default; the port is configurable in the exploit script.
  • ·The vulnerability affects Vitogate 300 versions 2.1.3.0 and prior; version 3.0.0.0 is the patched release.
  • ·CVE-2023-5222 (hardcoded credentials) is chained with CVE-2023-45852 (command injection via ipaddr shell metacharacters) to achieve full unauthenticated RCE.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.8MEDIUMAV:A/AC:L/Au:N/C:P/I:P/A:P
vulncheck6.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.