Lucene search

MitreCVE-2023-43742

HistoryDec 08, 2023 - 1:15 a.m.

CVE-2023-43742

2023-12-0801:15:07

CWE-287

mitre

web.nvd.nist.gov

zultys

mx-se

mx-e

mx250

mx30

authentication bypass

firmware vulnerability

cve-2023-43742

nvd

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.001

Percentile

42.1%

JSON

An authentication bypass in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an unauthenticated attacker to obtain an administrative session via a protection mechanism failure in the authentication function. In normal operation, the Zultys MX Administrator Windows client connects to port 7505 and attempts authentication, submitting the administrator username and password to the server. Upon authentication failure, the server sends a login failure message prompting the client to disconnect. However, if the client ignores the failure message instead and attempts to continue, the server does not forcibly close the connection and processes all subsequent requests from the client as if authentication had been successful.

Affected configurations

Nvd

Node

zultysmx-seMatch-

AND

zultysmx-se_firmwareRange<16.0.4

zultysmx-se_firmwareRange17.0.6–17.0.10

Node

zultysmx-se_iiMatch-

AND

zultysmx-se_ii_firmwareRange<16.0.4

zultysmx-se_ii_firmwareRange17.0.6–17.0.10

Node

zultysmx-eMatch-

AND

zultysmx-e_firmwareRange<16.0.4

zultysmx-e_firmwareRange17.0.6–17.0.10

Node

zultysmx-virtualMatch-

AND

zultysmx-virtual_firmwareRange<16.0.4

zultysmx-virtual_firmwareRange17.0.6–17.0.10

Node

zultysmx250Match-

AND

zultysmx250_firmwareRange<16.0.4

zultysmx250_firmwareRange17.0.6–17.0.10

Node

zultysmx30Match-

AND

zultysmx30_firmwareRange<16.0.4

zultysmx30_firmwareRange17.0.6–17.0.10

VendorProductVersionCPE
zultysmx-se-cpe:2.3:h:zultys:mx-se:-:*:*:*:*:*:*:*
zultysmx-se_firmware*cpe:2.3:o:zultys:mx-se_firmware:*:*:*:*:*:*:*:*
zultysmx-se_ii-cpe:2.3:h:zultys:mx-se_ii:-:*:*:*:*:*:*:*
zultysmx-se_ii_firmware*cpe:2.3:o:zultys:mx-se_ii_firmware:*:*:*:*:*:*:*:*
zultysmx-e-cpe:2.3:h:zultys:mx-e:-:*:*:*:*:*:*:*
zultysmx-e_firmware*cpe:2.3:o:zultys:mx-e_firmware:*:*:*:*:*:*:*:*
zultysmx-virtual-cpe:2.3:h:zultys:mx-virtual:-:*:*:*:*:*:*:*
zultysmx-virtual_firmware*cpe:2.3:o:zultys:mx-virtual_firmware:*:*:*:*:*:*:*:*
zultysmx250-cpe:2.3:h:zultys:mx250:-:*:*:*:*:*:*:*
zultysmx250_firmware*cpe:2.3:o:zultys:mx250_firmware:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zultys	mx-se	-	cpe:2.3:h:zultys:mx-se:-:::::::*
zultys	mx-se_firmware	*	cpe:2.3:o:zultys:mx-se_firmware::::::::
zultys	mx-se_ii	-	cpe:2.3:h:zultys:mx-se_ii:-:::::::*
zultys	mx-se_ii_firmware	*	cpe:2.3:o:zultys:mx-se_ii_firmware::::::::
zultys	mx-e	-	cpe:2.3:h:zultys:mx-e:-:::::::*
zultys	mx-e_firmware	*	cpe:2.3:o:zultys:mx-e_firmware::::::::
zultys	mx-virtual	-	cpe:2.3:h:zultys:mx-virtual:-:::::::*
zultys	mx-virtual_firmware	*	cpe:2.3:o:zultys:mx-virtual_firmware::::::::
zultys	mx250	-	cpe:2.3:h:zultys:mx250:-:::::::*
zultys	mx250_firmware	*	cpe:2.3:o:zultys:mx250_firmware::::::::

Rows per page:

1-10 of 121

References

github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0002.md

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.001

Percentile

42.1%

JSON

Related for CVE-2023-43742