CVE-2019-11523

EIP tracks 1 public exploit for CVE-2019-11523. PoCs published by wizlab-it.

AI-analyzed exploit summary The repository contains functional exploit code demonstrating CVE-2019-11523, an authentication bypass and information leakage vulnerability in Anviz M3 RFID Access Control devices. The PoC scripts (Python and PHP) send crafted TCP packets to interact with the device's unauthenticated protocol, allowing actions like opening doors, retrieving user data, and altering records.

Anviz Global M3 Outdoor RFID Access Control executes any command received from any source. No authentication/encryption is done. Attackers can fully interact with the device: for example, send the "open door" command, download the users list (which includes RFID codes and passcodes in cleartext), or update/create users. The same attack can be executed on a local network and over the internet (if the device is exposed on a public IP address).