CVE-2021-3774 is a vulnerability affecting the Meross Smart Wi-Fi 2 Way Wall Switch (model MSS550X) in firmware versions 3.1.3 and earlier. During the initial setup process, the device creates an open Wi-Fi Access Point (AP) without implementing adequate security controls. This unsecured AP allows a remote attacker within wireless range to connect and intercept communications between the Meross app and the device. Specifically, the device transmits sensitive configuration data, including the Wi-Fi SSID and password, in cleartext via HTTP/JSON requests. Because these credentials are sent without encryption or authentication, an attacker can easily capture them by monitoring network traffic or directly querying the device. This vulnerability falls under CWE-319, which concerns the cleartext transmission of sensitive information. The lack of encryption and authentication during the setup phase exposes users to credential theft, potentially enabling unauthorized access to the victim's home Wi-Fi network and connected IoT devices. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to user privacy and network security. The issue is rooted in insecure design choices during the device's provisioning stage, where convenience was prioritized over security, resulting in an open AP and unprotected data exchange. The vulnerability affects all devices running firmware version 3.1.3 or earlier, and no official patch or mitigation has been linked in the provided data. The device's reliance on HTTP rather than HTTPS for transmitting sensitive information is a critical weakness that facilitates easy interception by attackers within wireless range. This vulnerability highlights the importance of secure onboarding processes for IoT devices, including encrypted communication channels and authentication mechanisms to protect sensitive user data from exposure during setup.

For European organizations and consumers, this vulnerability can lead to unauthorized disclosure of Wi-Fi credentials, which compromises the confidentiality of the home or office network. Attackers gaining access to the Wi-Fi network can further exploit other connected devices, potentially leading to lateral movement within the network, data theft, or disruption of services. In environments where Meross switches are deployed in smart buildings, offices, or critical infrastructure, this could undermine operational integrity and availability. The exposure of Wi-Fi credentials also increases the risk of man-in-the-middle attacks, network eavesdropping, and unauthorized control of IoT devices. Although the vulnerability requires proximity to the device's wireless signal, the risk remains significant in densely populated urban areas or office environments where attackers could easily be within range. The lack of authentication and encryption during setup means that even non-expert attackers could exploit this vulnerability with minimal effort. While no known exploits are currently active in the wild, the potential impact on confidentiality and network security is substantial, especially for organizations relying on Meross devices for automation or energy management. This vulnerability could also erode trust in IoT device security, leading to reputational damage for organizations deploying these devices.

To mitigate this vulnerability, European organizations and users should take the following specific actions: 1) Immediately check for firmware updates from Meross that address this vulnerability and apply them as soon as they become available. 2) During device setup, perform the configuration in a controlled environment where unauthorized wireless access is minimized, such as a secured room or using a temporary isolated Wi-Fi network. 3) Avoid setting up the device in public or high-traffic areas to reduce the risk of attackers intercepting the setup traffic. 4) After setup, change the Wi-Fi network password regularly and monitor network logs for any unauthorized access attempts. 5) Segment IoT devices on a separate VLAN or network segment to limit the impact of compromised devices on critical organizational infrastructure. 6) Use network monitoring tools to detect unusual wireless connections or traffic patterns around the IoT devices. 7) If possible, disable the device's open AP mode after setup or restrict its wireless range using physical or configuration controls. 8) Educate users and administrators about the risks of insecure IoT device provisioning and encourage best practices for secure onboarding. 9) Consider alternative IoT devices with stronger security postures if firmware updates are unavailable or delayed. These steps go beyond generic advice by focusing on operational controls during device provisioning and network segmentation to contain potential breaches.