VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 4, 2023· Updated Oct 17, 2024

CVE-2023-33372

CVE-2023-33372

Description

Connected IO v2.1.0 and prior uses a hard-coded username/password pair embedded in their device's firmware used for device communication using MQTT. An attacker who gained access to these credentials is able to connect to the MQTT broker and send messages on behalf of devices, impersonating them. in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Hard-coded MQTT credentials in Connected IO firmware allow attackers to impersonate devices and forge JWT tokens, bypassing authentication.

Vulnerability

Connected IO firmware versions v2.1.0 and prior contain a hard-coded username and password pair used for MQTT device communication [1]. This credential is embedded in the firmware, allowing any attacker who extracts it to authenticate to the MQTT broker.

Exploitation

An attacker with access to the hard-coded credentials can connect to the MQTT broker and send messages on behalf of any device, effectively impersonating them [1]. The same credentials are used to sign and verify JWT session tokens, enabling the attacker to forge arbitrary session tokens and bypass authentication.

Impact

Successful exploitation allows the attacker to impersonate devices and sign arbitrary JWT tokens, leading to authentication bypass and unauthorized access to device management functions [1]. The attacker can then perform actions as any legitimate device, potentially compromising the entire system.

Mitigation

Connected IO has not released a patch as of the publication date (2023-08-04) [1]. Users should monitor vendor advisories for firmware updates. As a workaround, network segmentation and MQTT broker access controls may limit exposure. The product page is available at [2] but no fix details are provided.

References
  1. CVE-2023-33372
  2. Product Not Found | Elleco Networks

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.