DIVD-2023-00025 - Multiple vulnerabilities in Danfoss AK-SM800A
| Our reference | DIVD-2023-00025 |
| Case lead | Max van der Horst |
| Researcher(s) |
|
| CVE(s) | |
| Product | Danfoss AK-SM800A |
| Recommendation | It is recommended by Danfoss to install the latest patch with number 3.3. |
| Status | Closed |
| Last modified | 25 Apr 2024 18:52 CEST |
Summary
Multiple vulnerabilities related to insufficient restrications and input santization exist in the Danfoss AK-SM800A. These vulnerabilities should be considered serious and could lead to the full compromise of your system. It is advised by Danfoss to update to the latest version, which is version 3.3.
What you can do
For the AK-SM800A, it is advised to install the patch as soon as possible.
What we are doing
After completing the CVE registration, DIVD will start scanning for vulnerable instances. Owners of vulnerable systems receive a notification with instructions to mitigate the vulnerabilities.
Timeline
| Date | Description |
|---|---|
| 18 Jan 2023 | Researchers from Hackdefense reach out to DIVD, DIVD starts investigation |
| 18 Jan 2023 | Vulnerabilities reported |
|
18 Jan 2023- 17 Feb 2023 |
Time to acknowledge |
| 17 Feb 2023 | Vendor acknowledges receipt of vulnerabilities. |
| 17 Aug 2023 | Limited disclosure of the AK-SM800A vulnerabilities, including later mentioned vulnerabilities. |
| 17 Aug 2023 | DIVD starts scanning the internet for vulnerable instances. |
| 27 Sep 2023 | DIVD starts notifying customers with a vulnerable instance. |
| 20 Dec 2023 | Case closed. |
gantt
title DIVD-2023-00025 - Multiple vulnerabilities in Danfoss AK-SM800A
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2023-00025 - Multiple vulnerabilities in Danfoss AK-SM800A (336 days) :2023-01-18, 2023-12-20
section Events
Researchers from Hackdefense reach out to DIVD, DIVD starts investigation : milestone, 2023-01-18, 0d
Vulnerabilities reported : milestone, 2023-01-18, 0d
Time to acknowledge (30 days) : 2023-01-18, 2023-02-17
Vendor acknowledges receipt of vulnerabilities. : milestone, 2023-02-17, 0d
Limited disclosure of the AK-SM800A vulnerabilities, including later mentioned vulnerabilities. : milestone, 2023-08-17, 0d
DIVD starts scanning the internet for vulnerable instances. : milestone, 2023-08-17, 0d
DIVD starts notifying customers with a vulnerable instance. : milestone, 2023-09-27, 0d
Case closed. : milestone, 2023-12-20, 0d