PatchSiren cyber security CVE debrief
CVE-2023-5222 Viessmann CVE debrief
A critical vulnerability in Viessmann Vitogate 300 versions 2.1.3.0 and prior exposes affected devices to complete compromise via hard-coded credentials in the web management interface. The flaw resides in the `isValidUser` function within `/cgi-bin/vitogate.cgi`, allowing unauthenticated network attackers to gain administrative access without prior authentication. With a CVSS 3.1 score of 9.8, this vulnerability enables remote attackers to achieve confidentiality, integrity, and availability impacts across the affected industrial control system gateway devices. The issue was disclosed publicly on September 10, 2024, through CISA's ICS advisory program. Viessmann Climate Solutions SE, now a Carrier brand, has released version 3.0.0.0 to remediate this vulnerability. Organizations operating Vitogate 300 devices should prioritize patching given the network-accessible attack vector and complete lack of required privileges or user interaction.
- Vendor
- Viessmann
- Product
- Vitogate 300
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-10
- Original CVE updated
- 2024-09-10
- Advisory published
- 2024-09-10
- Advisory updated
- 2024-09-10
Who should care
Organizations operating Viessmann heating, ventilation, and climate control systems; building automation system integrators; facility management teams responsible for critical infrastructure; industrial cybersecurity teams monitoring OT/ICS environments; and any entity with Vitogate 300 devices deployed in accessible network segments.
Technical summary
The Viessmann Vitogate 300, an industrial gateway device used in building automation and climate control systems, contains a hard-coded password vulnerability in its web management interface. Specifically, the `isValidUser` function in `/cgi-bin/vitogate.cgi` fails to properly validate credentials against a secure authentication backend, instead relying on embedded credentials that can be extracted or bypassed. This architectural flaw permits unauthenticated remote attackers to authenticate as administrative users without valid credentials. The vulnerability is network-exploitable with low attack complexity, requiring no privileges or user interaction. Successful exploitation grants complete control over the device, including the ability to modify configurations, intercept traffic, and potentially pivot to connected building management systems. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects this severe exposure profile typical of embedded credential flaws in industrial IoT devices.
Defensive priority
critical
Recommended defensive actions
- Immediately inventory all Viessmann Vitogate 300 devices and identify those running firmware version 2.1.3.0 or earlier
- Upgrade affected devices to version 3.0.0.0 as provided by Viessmann Climate Solutions SE
- Until patching is complete, restrict network access to Vitogate 300 management interfaces to authorized administrative hosts only
- Monitor for unauthorized access attempts to `/cgi-bin/vitogate.cgi` on affected devices
- Review device configurations for signs of unauthorized changes if devices were internet-accessible prior to remediation
- Apply network segmentation to isolate Vitogate 300 devices from untrusted networks per ICS-CERT recommended practices
Evidence notes
Vulnerability confirmed through CISA ICS advisory ICSA-24-254-01. Affected versions explicitly documented as 2.1.3.0 and prior. Remediation version 3.0.0.0 confirmed available through vendor channels.
Official resources
-
CVE-2023-5222 CVE record
CVE.org
-
CVE-2023-5222 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
public