Data leakage and arbitrary remote code execution in Syrus cloud devices
Description
The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cloud service. The MQTT server also leaks the location, video and diagnostic data from each connected device. An attacker who knows the IP address of the server is able to connect and perform the following operations:
- Get location data of the vehicle the device is connected to
- Send CAN bus messages via the ECU module ( https://syrus.digitalcomtech.com/docs/ecu-1 https://syrus.digitalcomtech.com/docs/ecu-1 )
- Immobilize the vehicle via the safe-immobilizer module ( https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization )
- Get live video through the connected video camera
- Send audio messages to the driver ( https://syrus.digitalcomtech.com/docs/system-tools#apx-tts https://syrus.digitalcomtech.com/docs/system-tools#apx-tts )
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Syrus4 IoT gateway uses unsecured MQTT server, enabling remote unauthenticated code execution and data leakage.
Vulnerability
The Syrus4 IoT gateway (all versions) uses an unsecured MQTT server to download and execute arbitrary commands. The MQTT server also leaks location, video, and diagnostic data from each connected device. An attacker who knows the IP address of the server can connect without authentication.
Exploitation
An unauthenticated attacker with knowledge of the MQTT server's IP address can connect and perform operations including: getting location data, sending CAN bus messages via the ECU module, immobilizing the vehicle via the safe-immobilizer module, obtaining live video, and sending audio messages to the driver. The attacker can also execute arbitrary commands.
Impact
Successful exploitation allows remote code execution on the Syrus4 device connected to the cloud. The attacker gains full control over the vehicle, including the ability to track location, interfere with vehicle systems, and access video/audio. This compromises confidentiality, integrity, and availability.
Mitigation
No official mitigation or patch has been disclosed in available references [1]. Users should monitor vendor advisories for firmware updates. As a workaround, restrict network access to the MQTT server and use firewall rules.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Digital Communications Technologies/Syrus4 IoT Telematics Gatewayv5Range: apex-23.43.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.