Home

Description

The devices do not implement any authentication for the web interface or the MQTT server. An attacker who has network access to the device immediately gets administrative access to the devices and can perform arbitrary administrative actions and reconfigure the devices or potentially gain access to sensitive data.

PUBLISHED Reserved 2025-03-07 | Published 2025-05-21 | Updated 2025-11-03 | Assigner SEC-VLab

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status
affected

<=2.2.0
affected

Credits

Stefan Viehböck | SEC Consult Vulnerability Lab finder

References

seclists.org/fulldisclosure/2025/May/23

r.sec-consult.com/echarge third-party-advisory

cve.org (CVE-2025-27803)

nvd.nist.gov (CVE-2025-27803)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.