CISA reports critical security vulnerabilities in Viessmann Vitogate 300

Viessmann Climate Solutions SE, a global provider of climate solutions, disclosed multiple critical security vulnerabilities in its Vitogate 300 product. CISA discovered a public Proof of Concept (PoC) as authored by ByteHunter and reported it to Viessmann.

The Vitogate 300,  facilitates the integration of boilers and heat pumps with building management systems. The vulnerabilities impact the Commercial Facilities sector and could affect organizations worldwide, as the Viessmann Vitogate 300 is deployed globally.

The vulnerabilities were identified in versions 2.1.3.0 and earlier of the product.

Key Vulnerabilities Identified

1. CVE-2023-5222 (CVSS score 9.8) - Use of Hard-coded Credentials - This vulnerability exists in the isValidUser function of the /cgi-bin/vitogate.cgi file in the Web Management Interface of Vitogate 300. An attacker can manipulate this function to exploit a hard-coded password, allowing unauthorized access.

2. CVE-2023-45852 (CVSS score 9.8) - Command Injection - An attacker can exploit this vulnerability by injecting arbitrary commands via shell metacharacters in the ipaddr parameter of the JSON data for the put method. This flaw can lead to remote code execution, allowing attackers to bypass authentication and execute unauthorized commands.

3. CVE-2023-5702 (CVSS score 7.1) - Forced Browsing - A vulnerability in the /cgi-bin/ directory allows an attacker to directly request and access certain files without proper authorization. This flaw, known as "Forced Browsing," can expose confidential information and internal files.

The vulnerabilities affect Vitogate 300 versions 2.1.3.0 and prior. Viessmann Climate Solutions SE has acknowledged the vulnerabilities and released an updated version (3.0.0.0) of the Vitogate 300 software to address these security flaws.