In September 2024, CISA released an advisory highlighting the critical security vulnerabilities affecting Viessmann Vitogate 300, an interface device that integrates Building Management Systems with Viessmann heating systems. The vulnerabilities, identified in older versions of the device, were first discovered by security researchers in September 2023. These vulnerabilities impacted the device’s web management interface, specifically allowing exploitation through hardcoded credentials, direct request manipulation, and command injection.
The vulnerabilities were designated as CVE-2023-5222, CVE-2023-5702, and CVE-2023-45852, with severity scores ranging from 7.1 to 9.3 on the CVSS scale, indicating their critical and high-risk nature. CVE-2023-5222 involved the use of hardcoded credentials, CVE-2023-5702 enabled forced browsing, and CVE-2023-45852 allowed command injection, which could give unauthorized users the ability to execute arbitrary commands. These issues were especially concerning because they exposed systems to unauthorized access and manipulation, potentially compromising the integrity of critical infrastructure.
In response to the vulnerabilities, Viessmann Climate Solutions SE released a hotfix in December 2023, followed by a public exploit in March 2024. Viessmann then issued a complete software update in the form of Vitogate 300 software version 3.0.0.0, which addressed all the identified security flaws. CISA strongly encouraged customers to upgrade to the latest version to secure their systems and mitigate the risks associated with these vulnerabilities.
Viessmann Climate Solutions SE, a subsidiary of Carrier Global Corporation, is a key player in intelligent climate and energy solutions. The company’s products, including the Vitogate 300, are integral to modern building management and heating systems. Users and administrators are advised to review the CISA advisory for additional technical details and further mitigation recommendations to safeguard against potential exploitation.
Reference:
