CVE-2023-1133

CRITICAL

Deltaww Infrasuite Device Master < 1.0.5 - Insecure Deserialization

Title source: rule

Description

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which the Device-status service listens on port 10100/ UDP by default. The service accepts the unverified UDP packets and deserializes the content, which could allow an unauthenticated attacker to remotely execute arbitrary code.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Anonymous, Shelby Pace · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/delta_electronics_infrasuite_deserialization.rb

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/172799/Delta-Electronics-InfraSuite-Device-Master-Deserialization.html

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02

Scores

CVSS v3 9.8

EPSS 0.8699

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

deltaww/infrasuite_device_master < 1.0.5

Timeline

Published Mar 27, 2023

Tracked Since Feb 18, 2026