CVE-2024-0390 (GCVE-0-2024-0390)
Vulnerability from cvelistv5 – Published: 2024-02-15 09:11 – Updated: 2025-03-13 17:58
VLAI
Title
Hard-coded credentials in iZZi connect application
Summary
INPRAX "iZZi connect" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access to manage and read parameters of the recuperation unit "reQnet iZZi".This issue affects "iZZi connect" application versions before 2024010401.
Severity
6.2 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2024/02/CVE-2024-0390/ | third-party-advisory |
| https://cert.pl/posts/2024/02/CVE-2024-0390/ | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| INPRAX | iZZi connect |
Affected:
0 , < 2024010401
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-0390",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T19:19:14.884809Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T17:58:39.772Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.430Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2024/02/CVE-2024-0390/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2024/02/CVE-2024-0390/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://play.google.com/store/apps/details?id=inprax.izzi",
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "iZZi connect",
"vendor": "INPRAX",
"versions": [
{
"lessThan": "2024010401",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(214, 214, 214, 0.1);\"\u003eINPRAX \"iZZi connect\" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access to manage and read parameters of the recuperation unit \"reQnet iZZi\".\u003c/span\u003e\u003cp\u003eThis issue affects \"iZZi connect\" application versions before 2024010401.\u003c/p\u003e"
}
],
"value": "INPRAX \"iZZi connect\" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access to manage and read parameters of the recuperation unit \"reQnet iZZi\".This issue affects \"iZZi connect\" application versions before 2024010401.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-15T09:11:14.559Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/02/CVE-2024-0390/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/02/CVE-2024-0390/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hard-coded credentials in iZZi connect application",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2024-0390",
"datePublished": "2024-02-15T09:11:14.559Z",
"dateReserved": "2024-01-10T08:24:47.234Z",
"dateUpdated": "2025-03-13T17:58:39.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-0390",
"date": "2026-06-02",
"epss": "0.00156",
"percentile": "0.36077"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"INPRAX \\\"iZZi connect\\\" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access to manage and read parameters of the recuperation unit \\\"reQnet iZZi\\\".This issue affects \\\"iZZi connect\\\" application versions before 2024010401.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"La aplicaci\\u00f3n INPRAX \\\"iZZi connect\\\" en Android contiene credenciales de cola MQTT codificadas. Los dispositivos de recuperaci\\u00f3n f\\u00edsica correspondientes utilizan la misma cola MQTT. La explotaci\\u00f3n de esta vulnerabilidad podr\\u00eda permitir el acceso no autorizado para administrar y leer los par\\u00e1metros de la unidad de recuperaci\\u00f3n \\\"reQnet iZZi\\\". Este problema afecta a las versiones de la aplicaci\\u00f3n \\\"iZZi connect\\\" anteriores a 2024010401.\"}]",
"id": "CVE-2024-0390",
"lastModified": "2024-11-21T08:46:29.297",
"published": "2024-02-15T10:15:09.043",
"references": "[{\"url\": \"https://cert.pl/en/posts/2024/02/CVE-2024-0390/\", \"source\": \"cvd@cert.pl\"}, {\"url\": \"https://cert.pl/posts/2024/02/CVE-2024-0390/\", \"source\": \"cvd@cert.pl\"}, {\"url\": \"https://cert.pl/en/posts/2024/02/CVE-2024-0390/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://cert.pl/posts/2024/02/CVE-2024-0390/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "cvd@cert.pl",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"cvd@cert.pl\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-798\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-0390\",\"sourceIdentifier\":\"cvd@cert.pl\",\"published\":\"2024-02-15T10:15:09.043\",\"lastModified\":\"2025-03-13T18:15:36.243\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"INPRAX \\\"iZZi connect\\\" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access to manage and read parameters of the recuperation unit \\\"reQnet iZZi\\\".This issue affects \\\"iZZi connect\\\" application versions before 2024010401.\\n\\n\"},{\"lang\":\"es\",\"value\":\"La aplicaci\u00f3n INPRAX \\\"iZZi connect\\\" en Android contiene credenciales de cola MQTT codificadas. Los dispositivos de recuperaci\u00f3n f\u00edsica correspondientes utilizan la misma cola MQTT. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir el acceso no autorizado para administrar y leer los par\u00e1metros de la unidad de recuperaci\u00f3n \\\"reQnet iZZi\\\". Este problema afecta a las versiones de la aplicaci\u00f3n \\\"iZZi connect\\\" anteriores a 2024010401.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.5,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:inprax:izzi_connect:*:*:*:*:*:android:*:*\",\"versionEndExcluding\":\"2024010401\",\"matchCriteriaId\":\"DFEEB825-97A4-4A8E-A606-58A9762A974E\"}]}]}],\"references\":[{\"url\":\"https://cert.pl/en/posts/2024/02/CVE-2024-0390/\",\"source\":\"cvd@cert.pl\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cert.pl/posts/2024/02/CVE-2024-0390/\",\"source\":\"cvd@cert.pl\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cert.pl/en/posts/2024/02/CVE-2024-0390/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cert.pl/posts/2024/02/CVE-2024-0390/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"affected\": [{\"collectionURL\": \"https://play.google.com/store/apps/details?id=inprax.izzi\", \"defaultStatus\": \"unaffected\", \"platforms\": [\"Android\"], \"product\": \"iZZi connect\", \"vendor\": \"INPRAX\", \"versions\": [{\"lessThan\": \"2024010401\", \"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\"}]}], \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgba(214, 214, 214, 0.1);\\\"\u003eINPRAX \\\"iZZi connect\\\" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access to manage and read parameters of the recuperation unit \\\"reQnet iZZi\\\".\u003c/span\u003e\u003cp\u003eThis issue affects \\\"iZZi connect\\\" application versions before 2024010401.\u003c/p\u003e\"}], \"value\": \"INPRAX \\\"iZZi connect\\\" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access to manage and read parameters of the recuperation unit \\\"reQnet iZZi\\\".This issue affects \\\"iZZi connect\\\" application versions before 2024010401.\\n\\n\"}], \"impacts\": [{\"capecId\": \"CAPEC-114\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-114 Authentication Abuse\"}]}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-798\", \"description\": \"CWE-798 Use of Hard-coded Credentials\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"shortName\": \"CERT-PL\", \"dateUpdated\": \"2024-02-15T09:11:14.559Z\"}, \"references\": [{\"tags\": [\"third-party-advisory\"], \"url\": \"https://cert.pl/en/posts/2024/02/CVE-2024-0390/\"}, {\"tags\": [\"third-party-advisory\"], \"url\": \"https://cert.pl/posts/2024/02/CVE-2024-0390/\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"title\": \"Hard-coded credentials in iZZi connect application\", \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T18:04:49.430Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"third-party-advisory\", \"x_transferred\"], \"url\": \"https://cert.pl/en/posts/2024/02/CVE-2024-0390/\"}, {\"tags\": [\"third-party-advisory\", \"x_transferred\"], \"url\": \"https://cert.pl/posts/2024/02/CVE-2024-0390/\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-0390\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-22T19:19:14.884809Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:13.033Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2024-0390\", \"assignerOrgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"CERT-PL\", \"dateReserved\": \"2024-01-10T08:24:47.234Z\", \"datePublished\": \"2024-02-15T09:11:14.559Z\", \"dateUpdated\": \"2025-03-13T17:58:39.772Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…