Skip to the content.

DIVD-2023-00025 - Multiple vulnerabilities in Danfoss AK-SM800A

Our reference DIVD-2023-00025
Case lead Max van der Horst
Researcher(s)
  • Jony Schats (HackDefense)
  • Stan Plasmeijer (HackDefense)
  • Synacktiv
  • Max van der Horst
CVE(s)
Product Danfoss AK-SM800A
Recommendation It is recommended by Danfoss to install the latest patch with number 3.3.
Status Closed
Last modified 02 Jan 2024 14:22

Summary

Multiple vulnerabilities related to insufficient restrications and input santization exist in the Danfoss AK-SM800A. These vulnerabilities should be considered serious and could lead to the full compromise of your system. It is advised by Danfoss to update to the latest version, which is version 3.3.

What you can do

For the AK-SM800A, it is advised to install the patch as soon as possible.

What we are doing

After completing the CVE registration, DIVD will start scanning for vulnerable instances. Owners of vulnerable systems receive a notification with instructions to mitigate the vulnerabilities.

Timeline

Date Description
18 Jan 2023 Researchers from Hackdefense reach out to DIVD, DIVD starts investigation
18 Jan 2023 Vulnerabilities reported
18 Jan 2023-
17 Feb 2023
Time to acknowledge
17 Feb 2023 Vendor acknowledges receipt of vulnerabilities.
17 Aug 2023 Limited disclosure of the AK-SM800A vulnerabilities, including later mentioned vulnerabilities.
17 Aug 2023 DIVD starts scanning the internet for vulnerable instances.
27 Sep 2023 DIVD starts notifying customers with a vulnerable instance.
20 Dec 2023 Case closed.
gantt title DIVD-2023-00025 - Multiple vulnerabilities in Danfoss AK-SM800A dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00025 - Multiple vulnerabilities in Danfoss AK-SM800A (still open) :2023-01-18, 2024-04-30 section Events Researchers from Hackdefense reach out to DIVD, DIVD starts investigation : milestone, 2023-01-18, 0d Vulnerabilities reported : milestone, 2023-01-18, 0d Time to acknowledge (30 days) : 2023-01-18, 2023-02-17 Vendor acknowledges receipt of vulnerabilities. : milestone, 2023-02-17, 0d Limited disclosure of the AK-SM800A vulnerabilities, including later mentioned vulnerabilities. : milestone, 2023-08-17, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2023-08-17, 0d DIVD starts notifying customers with a vulnerable instance. : milestone, 2023-09-27, 0d Case closed. : milestone, 2023-12-20, 0d

More information