CVE-2023-46380 LOYTEC electronics GmbH CVE debrief

Who should care

Organizations operating LOYTEC building automation and industrial control systems, including facility managers, OT security teams, and critical infrastructure operators deploying LINX-212, LVIS-3ME12-A1, LIOB-586, and related product lines.

Technical summary

Affected LOYTEC devices in the LINX series transmit password-change requests over unencrypted HTTP rather than HTTPS. This allows network adversaries with passive monitoring capability to capture administrative credentials during password change operations. The vulnerability is network-accessible without authentication (AV:N, PR:N) and requires no user interaction. Successful exploitation results in high confidentiality impact through credential compromise, though integrity and availability impacts are not directly affected per the CVSS vector.

Defensive priority

HIGH

Recommended defensive actions

• Update affected LOYTEC devices to firmware version 8.2.8 or later
• Disable HTTP on affected LOYTEC devices per the vendor's security hardening guide
• Implement network segmentation to isolate affected building automation devices from untrusted networks
• Monitor network traffic for unencrypted HTTP sessions to affected device management interfaces
• Review and rotate credentials that may have been transmitted over cleartext HTTP
• Apply defense-in-depth controls per CISA ICS recommended practices for industrial control systems

Evidence notes

The CISA CSAF advisory ICSA-24-247-01 explicitly states that affected LOYTEC devices send password-change requests via cleartext HTTP. The advisory lists seven affected products: LINX-151, LINX-212, LVIS-3ME12-A1, LIOB-586, LIOB-580 V2, LIOB-588, and L-INX Configurator. Specific firmware versions mentioned are LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2, and LIOB-586 firmware 6.2.3. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N yields a base score of 7.5 (HIGH severity).

Official resources