PatchSiren cyber security CVE debrief
CVE-2023-3050 TMT CVE debrief
CVE-2023-3050 is a critical flaw in TMT Lockcell firmware where cookies are relied on in a security decision without adequate validation and integrity checking. According to the published NVD and advisory data, this can lead to authentication bypass and privilege abuse in versions before 15.0. The issue is network-reachable, requires no privileges or user interaction, and is rated CVSS 9.8.
- Vendor
- TMT
- Product
- Lockcell
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-06-13
- Original CVE updated
- 2024-11-21
- Advisory published
- 2023-06-13
- Advisory updated
- 2024-11-21
Who should care
Organizations running TMT Lockcell firmware before 15.0, along with teams responsible for access control, device authentication, and firmware lifecycle management, should treat this as urgent. Security teams should also prioritize environments where the device is exposed to untrusted networks or manages sensitive access decisions.
Technical summary
NVD describes CVE-2023-3050 as a cookie-trust weakness in a security decision, mapped primarily to CWE-565 (Reliance on Cookies without Validation and Integrity Checking) with a secondary CWE-784 classification from USOM. The vulnerable product is listed as tmtmakine Lockcell firmware, affected before version 15.0. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates a remotely exploitable issue with high potential impact to confidentiality, integrity, and availability.
Defensive priority
Immediate. This is a critical, remotely exploitable authentication/privilege issue with no privileges or user interaction required, so affected systems should be identified and updated as soon as possible.
Recommended defensive actions
- Confirm whether any deployed Lockcell firmware is earlier than 15.0.
- Apply the vendor-fixed firmware or upgrade to a version that is not listed as vulnerable.
- Review any device workflows that make authorization decisions based on client-side cookies or other untrusted state.
- Restrict network exposure of affected devices until remediation is complete.
- Validate administrative and access-control logs for unexpected privilege changes or authentication anomalies.
- If an upgrade cannot be applied immediately, implement compensating controls such as network segmentation and tighter access restrictions.
Evidence notes
This debrief is based on the supplied CVE record and NVD metadata. The NVD entry lists CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the affected firmware range ending before 15.0, and CWE-565 as the primary weakness. USOM material also maps the issue to CWE-784. No CISA KEV entry is present in the supplied corpus.
Official resources
-
CVE-2023-3050 CVE record
CVE.org
-
CVE-2023-3050 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Publicly disclosed on 2023-06-13 and later modified on 2024-11-21. The supplied corpus does not indicate a CISA KEV listing.