Skip to the content.

DIVD-2023-00021 - Multiple vulnerabilities in Danfoss AK-EM 100

Our reference DIVD-2023-00021
Case lead Max van der Horst
Researcher(s)
CVE(s)
Product Danfoss AK-EM 100
Recommendation It is recommended by Danfoss to phase out the AK-EM 100
Status Closed
Last modified 09 Sep 2024 22:22 CEST

Summary

Multiple injection-related vulnerabilities exist in a set of Danfoss products, among which the AK-EM 100. These vulnerabilities should be considered serious and could lead to the full compromise of your system. It is advised to phase out the AK-EM 100, as its vendor Danfoss confirms the AK-EM 100 to be End of Life and that it will not be releasing a patch for this product.

What you can do

For the AK-EM 100, it is advised to phase out this product. If this is not possible, ensure it is not connected to the public Internet.

What we are doing

After completing the CVE registration, DIVD will start scanning for vulnerable instances. Owners of vulnerable systems receive a notification with instructions to mitigate the vulnerabilities.

Timeline

Date Description
18 Jan 2023 Researchers from Hackdefense reach out to DIVD, DIVD starts investigation
18 Jan 2023 Vulnerabilities reported
18 Jan 2023-
17 Feb 2023
Time to acknowledge
17 Feb 2023 Vendor acknowledges receipt of vulnerabilities
08 May 2023 Limited disclosure of the AK-EM 100 vulnerabilities
11 May 2023 DIVD starts scanning the internet for vulnerable instances.
26 May 2023 DIVD performs first mailrun.
20 Dec 2023 Case closed.
gantt title DIVD-2023-00021 - Multiple vulnerabilities in Danfoss AK-EM 100 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00021 - Multiple vulnerabilities in Danfoss AK-EM 100 (336 days) :2023-01-18, 2023-12-20 section Events Researchers from Hackdefense reach out to DIVD, DIVD starts investigation : milestone, 2023-01-18, 0d Vulnerabilities reported : milestone, 2023-01-18, 0d Time to acknowledge (30 days) : 2023-01-18, 2023-02-17 Vendor acknowledges receipt of vulnerabilities : milestone, 2023-02-17, 0d Limited disclosure of the AK-EM 100 vulnerabilities : milestone, 2023-05-08, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2023-05-11, 0d DIVD performs first mailrun. : milestone, 2023-05-26, 0d Case closed. : milestone, 2023-12-20, 0d

More information