CVE-2020-28593
Description
A unauthenticated backdoor exists in the configuration server functionality of Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0. A specially crafted JSON object can lead to code execution. An attacker can send a malicious packet to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A pre-authenticated backdoor in Cosori Smart Air Fryer CS158-AF firmware 1.1.0 allows remote code execution via a crafted JSON packet on TCP port 41234.
Vulnerability
A hidden functionality (CWE-912) exists in the configuration server of the Cosori Smart 5.8-Quart Air Fryer CS158-AF running firmware version 1.1.0 [1]. The device runs an ESP-01E-based WiFi module that, during initial setup, operates as an access point and listens on TCP port 41234 for encrypted JSON commands [1]. All traffic is encrypted using a static, symmetric key (llwantaeskey1.01) and IV (llwantaesivv1.01) embedded in the firmware [1]. The setup protocol includes a field tcpDebugPort that, when set to a value other than "off", enables a debug backdoor that can execute arbitrary commands [1]. No authentication is required to send commands to this port [1].
Exploitation
An attacker with network access to the device during its setup phase (i.e., when the air fryer is broadcasting its own WiFi network) can send a crafted TCP packet to port 41234 [1]. The packet must be encrypted with the known static AES key and IV, and contain a JSON object that sets tcpDebugPort to a non-off value and includes malicious commands in the appropriate field [1]. No authentication, user interaction, or prior knowledge beyond the embedded cryptographic material is required [1]. The low attack complexity (CVSS:3.0/AV:N/AC:H) is due to the attacker needing to be on the same network segment during the brief setup window [1].
Impact
Successful exploitation allows the attacker to achieve arbitrary code execution on the device's ESP-01E module [1]. This grants the attacker the ability to fully control the appliance, exfiltrate sensitive data (such as WiFi credentials sent during setup), or use the device as a pivot point on the local network [1]. The impact on confidentiality, integrity, and availability is high [1].
Mitigation
As of the publication date (2021-04-15), no firmware patch has been released by Cosori to address this vulnerability [1]. The device remains at risk if it is placed into setup mode on an untrusted network. Until a fix is available, users should avoid connecting the air fryer to any network where an attacker could be present during the initial configuration process, and should ensure the device is not left in setup mode for longer than necessary [1]. The CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Hidden functionality (backdoor) in the configuration server allows enabling an unauthenticated debug interface by setting the "tcpDebugPort" JSON field to "on"."
Attack vector
An attacker on the same network as the device during its initial WiFi setup phase sends an encrypted JSON configuration packet to TCP port 41234 with the "tcpDebugPort" field set to "on" instead of "off" [ref_id=1]. The encryption uses a static, symmetric key ("llwantaeskey1.01") and IV ("llwantaesivv1.01") embedded in the firmware, so the attacker can encrypt the modified payload [ref_id=1]. Once the device processes this packet, it opens an unauthenticated, unencrypted TCP debug server on port 55555 that exposes serial log data and accepts debugging commands, including a firmware-upgrade command that can fetch and install arbitrary firmware from an attacker-controlled URL [ref_id=1].
Affected code
The advisory [ref_id=1] identifies the configuration server running on TCP port 41234 as the vulnerable component. The firmware contains a static AES key ("llwantaeskey1.01") and IV ("llwantaesivv1.01") in the .user_data_seg_3 section at address 3FFE911E [ref_id=1]. The "tcpDebugPort" JSON field, when set to "on", enables a hidden debug server on TCP port 55555.
What the fix does
No patch is published in the bundle. The advisory [ref_id=1] does not describe any vendor fix or remediation commit. The recommended mitigation would be to remove the hidden "tcpDebugPort" functionality entirely, require authentication for the debug interface, or use a per-device encryption key rather than the static key embedded in firmware.
Preconditions
- networkAttacker must be on the same network as the device during the initial WiFi setup phase (device acts as an access point)
- inputAttacker must know the static AES key and IV embedded in the firmware to encrypt the malicious JSON payload
- authNo authentication required
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2020-1217mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.