DIVD-2023-00021 - Multiple vulnerabilities in Danfoss AK-EM 100
| Our reference | DIVD-2023-00021 |
| Case lead | Max van der Horst |
| Researcher(s) |
|
| CVE(s) | |
| Product | Danfoss AK-EM 100 |
| Recommendation | It is recommended by Danfoss to phase out the AK-EM 100 |
| Status | Closed |
| Last modified | 02 Jan 2024 14:22 |
Summary
Multiple injection-related vulnerabilities exist in a set of Danfoss products, among which the AK-EM 100. These vulnerabilities should be considered serious and could lead to the full compromise of your system. It is advised to phase out the AK-EM 100, as its vendor Danfoss confirms the AK-EM 100 to be End of Life and that it will not be releasing a patch for this product.
What you can do
For the AK-EM 100, it is advised to phase out this product. If this is not possible, ensure it is not connected to the public Internet.
What we are doing
After completing the CVE registration, DIVD will start scanning for vulnerable instances. Owners of vulnerable systems receive a notification with instructions to mitigate the vulnerabilities.
Timeline
| Date | Description |
|---|---|
| 18 Jan 2023 | Researchers from Hackdefense reach out to DIVD, DIVD starts investigation |
| 18 Jan 2023 | Vulnerabilities reported |
|
18 Jan 2023- 17 Feb 2023 |
Time to acknowledge |
| 17 Feb 2023 | Vendor acknowledges receipt of vulnerabilities |
| 08 May 2023 | Limited disclosure of the AK-EM 100 vulnerabilities |
| 11 May 2023 | DIVD starts scanning the internet for vulnerable instances. |
| 26 May 2023 | DIVD performs first mailrun. |
| 20 Dec 2023 | Case closed. |
gantt
title DIVD-2023-00021 - Multiple vulnerabilities in Danfoss AK-EM 100
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2023-00021 - Multiple vulnerabilities in Danfoss AK-EM 100 (still open) :2023-01-18, 2024-04-22
section Events
Researchers from Hackdefense reach out to DIVD, DIVD starts investigation : milestone, 2023-01-18, 0d
Vulnerabilities reported : milestone, 2023-01-18, 0d
Time to acknowledge (30 days) : 2023-01-18, 2023-02-17
Vendor acknowledges receipt of vulnerabilities : milestone, 2023-02-17, 0d
Limited disclosure of the AK-EM 100 vulnerabilities : milestone, 2023-05-08, 0d
DIVD starts scanning the internet for vulnerable instances. : milestone, 2023-05-11, 0d
DIVD performs first mailrun. : milestone, 2023-05-26, 0d
Case closed. : milestone, 2023-12-20, 0d
More information
- CVE-2023-22583
- CVE-2023-22584
- CVE-2023-22585
- CVE-2023-22586
- CVE-2023-25911
- CVE-2023-25912
- Blog post by HackDefense on the findings in the AK-EM 100