PatchSiren cyber security CVE debrief
CVE-2023-3643 CAREL CVE debrief
A critical Local File Inclusion (LFI) vulnerability in CAREL Boss-Mini (version 1.4.0 Build 6221) allows network-adjacent attackers to access unauthorized filesystem resources including configuration files, password files, and system logs. Published June 20, 2024, this vulnerability carries a CVSS 3.1 score of 9.8 (Critical) with network attack vector, low complexity, and no privileges required. The LFI technique enables read access to sensitive data that could facilitate further compromise. CAREL has released firmware version 1.6.0 to address this issue.
- Vendor
- CAREL
- Product
- Boss-Mini
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-20
- Original CVE updated
- 2024-06-20
- Advisory published
- 2024-06-20
- Advisory updated
- 2024-06-20
Who should care
Organizations operating HVAC and building automation systems using CAREL Boss-Mini controllers, particularly in critical infrastructure environments. Security teams responsible for OT/ICS network segmentation and industrial control system hardening. Facility managers and system integrators deploying CAREL equipment who must ensure firmware maintenance cycles. Compliance officers addressing NERC CIP, IEC 62443, or similar industrial cybersecurity frameworks requiring vulnerability management for control system assets.
Technical summary
The vulnerability exists in the web interface of CAREL Boss-Mini 1.4.0 (Build 6221), where insufficient input validation allows path traversal sequences to access files outside intended directories. An attacker present on the same network segment can craft HTTP requests containing directory traversal patterns (e.g., ../ sequences) to read arbitrary files from the device's filesystem. This includes sensitive configuration files containing credentials, system logs revealing operational patterns, and password files that may enable further authentication bypass. The attack requires no authentication and minimal technical sophistication, with network-based exploitability. The complete compromise of confidentiality, integrity, and availability (per CVSS 3.1 metrics) reflects the potential for credential extraction leading to administrative access and subsequent device manipulation.
Defensive priority
Critical
Recommended defensive actions
- Update CAREL Boss-Mini firmware to version 1.6.0 or later immediately
- If immediate patching is not feasible, change all default login credentials and enforce strong password policies per vendor guidance
- Deploy affected devices in segregated internal networks following CAREL security recommendations (document +030220471)
- Review and restrict network segmentation to limit attacker lateral movement capabilities
- Monitor for unauthorized file access attempts and anomalous authentication patterns
Evidence notes
CISA CSAF advisory ICSA-24-172-02 identifies the affected product as CAREL Boss-Mini 1.4.0 (Build 6221). The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H confirms network accessibility with complete confidentiality, integrity, and availability impact. Vendor remediation guidance specifies firmware update to version 1.6.0 or later.
Official resources
-
CVE-2023-3643 CVE record
CVE.org
-
CVE-2023-3643 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published June 20, 2024 by CISA as advisory ICSA-24-172-02. The vulnerability affects CAREL Boss-Mini version 1.4.0 (Build 6221). No known exploitation in ransomware campaigns has been reported.