CVE-2019-11523 Information

Description

Anviz Global M3 Outdoor RFID Access Control executes any command received from any source. No authentication/encryption is done. Attackers can fully interact with the device: for example send the \open door\ command download the users list (which includes RFID codes and passcodes in cleartext) or update/create users. The same attack can be executed on a local network and over the internet (if the device is exposed on a public IP address).

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/wizlab-it/anviz-m3-rfid-cve-2019-11523-poc

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8