Details regarding 10 security vulnerabilities impacting Loytec building automation products that remained unaddressed more than two years after their discovery were uncovered by TXOne Networks researchers, according to SecurityWeek.
Exploiting the flaws, tracked from CVE-2023-46380 to CVE-2023-46389 which affected the LINX-151, LINX-212, and LIOB-586 programmable automation stations for building app management, L-INX Configurator tool, LWEB-802 visualization tool, and LVIS-3ME12-AI touch panels could result in system takeovers and building security system deactivation, said TXOne.
Attackers with admin privileges leveraging the CVE-2023-46387 and CVE-2023-46389 bugs could easily access files with SMTP client credentials, while password theft could be facilitated by threat actors with local access to machines with the LINX Configurator using CVE-2023-46384. No technical skills are needed for leveraging CVE-2023-46382. However, man-in-the-middle attacks are required prior to the exploitation of CVE-2023-46380, CVE-2023-46382, CVE-2023-46383, and CVE-2023-46385.
Such information has been disclosed by TXOne after Loytec failed to respond to messages from Trend Micro's Zero Day Initiative and the Cybersecurity and Infrastructure Security Agency.