DIVD-2023-00021 - Multiple vulnerabilities in Danfoss AK-EM 100
|Case lead||Max van der Horst|
|Product||Danfoss AK-EM 100|
|Recommendation||It is recommended by Danfoss to phase out the AK-EM 100|
|Last modified||26 May 2023 17:50|
Multiple injection-related vulnerabilities exist in a set of Danfoss products, among which the AK-EM 100. These vulnerabilities should be considered serious and could lead to the full compromise of your system. It is advised to phase out the AK-EM 100, as its vendor Danfoss confirms the AK-EM 100 to be End of Life and that it will not be releasing a patch for this product.
What you can do
For the AK-EM 100, it is advised to phase out this product. If this is not possible, ensure it is not connected to the public Internet.
What we are doing
After completing the CVE registration, DIVD will start scanning for vulnerable instances. Owners of vulnerable systems receive a notification with instructions to mitigate the vulnerabilities.
|18 Jan 2023||Researchers from Hackdefense reach out to DIVD, DIVD starts investigation|
|18 Jan 2023||Vulnerabilities reported|
18 Jan 2023-
17 Feb 2023
|Time to acknowledge|
|17 Feb 2023||Vendor acknowledges receipt of vulnerabilities|
|08 May 2023||Limited disclosure of the AK-EM 100 vulnerabilities|
|11 May 2023||DIVD starts scanning the internet for vulnerable instances.|
|26 May 2023||DIVD performs first mailrun.|
- Blog post by HackDefense on the findings in the AK-EM 100