CVE-2017-3217
HIGHCalAmp LMU 3030 OBD-II/CDMA/GSM Firmware - Unauthenticated Administrative Command Execution via SMS Interface
Title source: llmDescription
CalAmp LMU 3030 series OBD-II CDMA and GSM devices has an SMS (text message) interface that can be deployed where no password is configured for this interface by the integrator / reseller. This interface must be password protected, otherwise, the attacker only needs to know the phone number of the device (via an IMSI Catcher, for example) to send administrative commands to the device. These commands can be used to provide ongoing, real-time access to the device and can configure parameters such as IP addresses, firewall rules, and passwords.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
https://www.securityfocus.com/bid/98964
Third Party Advisory, US Government Resource third-party-advisory
x_refsource_cert-vn
https://www.kb.cert.org/vuls/id/251927
Scores
CVSS v3
8.1
EPSS
0.0205
EPSS Percentile
78.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-306
Status
published
Products (3)
calamp/lmu_3030_cdma_firmware
calamp/lmu_3030_gsm_firmware
calamp/lmu_3030_obd-ii_firmware
Published
Jul 24, 2018
Tracked Since
Feb 18, 2026