CVE-2023-42143

MEDIUM

Shelly TRV - Code Injection

Title source: llm

Description

Missing Integrity Check in Shelly TRV 20220811-152343/v2.1.8@5afc928c allows malicious users to create a backdoor by redirecting the device to an attacker-controlled machine which serves the manipulated firmware file. The device is updated with the manipulated firmware.

References (1)

[Third Party Advisory] https://www.kth.se/cs/nse/research/software-systems-architecture-and-security/projects/ethical-hacking-1.1279219

Scores

CVSS v3 5.4

EPSS 0.0014

EPSS Percentile 32.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-354

Status published

Products (1)

shelly/trv_firmware 2.1.8

Published Jan 23, 2024

Tracked Since Feb 18, 2026