CVE-2023-22601

CRITICAL

InHand Networks IR302 <V3.5.56 & InRouter6XX-S <V2.3.0.r5542 - Info...

Title source: llm

Description

InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-330: Use of Insufficiently Random Values. They do not properly randomize MQTT ClientID parameters. An unauthorized user could calculate this parameter and use it to gather additional information about other InHand devices managed on the same cloud platform.

References (1)

[Third Party Advisory, US Government Resource] https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03

Scores

CVSS v3 10.0

EPSS 0.0015

EPSS Percentile 35.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-330

Status published

Products (2)

inhandnetworks/inrouter302_firmware < 3.5.56

inhandnetworks/inrouter615-s_firmware < 2.3.0.r5542

Published Jan 12, 2023

Tracked Since Feb 18, 2026