CVE-2021-3774: CWE-319 Cleartext Transmission of Sensitive Information in Meross Meross Smart Wi-Fi 2 Way Wall Switch
Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X), on its 3.1.3 version and before, creates an open Wi-Fi Access Point without the required security measures in its initial setup. This could allow a remote attacker to obtain the Wi-Fi SSID as well as the password configured by the user from Meross app via Http/JSON plain request.
AI Analysis
Technical Summary
CVE-2021-3774 is a vulnerability affecting the Meross Smart Wi-Fi 2 Way Wall Switch (model MSS550X) in firmware versions 3.1.3 and earlier. During the initial setup process, the device creates an open Wi-Fi Access Point (AP) without implementing adequate security controls. This unsecured AP allows a remote attacker within wireless range to connect and intercept communications between the Meross app and the device. Specifically, the device transmits sensitive configuration data, including the Wi-Fi SSID and password, in cleartext via HTTP/JSON requests. Because these credentials are sent without encryption or authentication, an attacker can easily capture them by monitoring network traffic or directly querying the device. This vulnerability falls under CWE-319, which concerns the cleartext transmission of sensitive information. The lack of encryption and authentication during the setup phase exposes users to credential theft, potentially enabling unauthorized access to the victim's home Wi-Fi network and connected IoT devices. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to user privacy and network security. The issue is rooted in insecure design choices during the device's provisioning stage, where convenience was prioritized over security, resulting in an open AP and unprotected data exchange. The vulnerability affects all devices running firmware version 3.1.3 or earlier, and no official patch or mitigation has been linked in the provided data. The device's reliance on HTTP rather than HTTPS for transmitting sensitive information is a critical weakness that facilitates easy interception by attackers within wireless range. This vulnerability highlights the importance of secure onboarding processes for IoT devices, including encrypted communication channels and authentication mechanisms to protect sensitive user data from exposure during setup.
Potential Impact
For European organizations and consumers, this vulnerability can lead to unauthorized disclosure of Wi-Fi credentials, which compromises the confidentiality of the home or office network. Attackers gaining access to the Wi-Fi network can further exploit other connected devices, potentially leading to lateral movement within the network, data theft, or disruption of services. In environments where Meross switches are deployed in smart buildings, offices, or critical infrastructure, this could undermine operational integrity and availability. The exposure of Wi-Fi credentials also increases the risk of man-in-the-middle attacks, network eavesdropping, and unauthorized control of IoT devices. Although the vulnerability requires proximity to the device's wireless signal, the risk remains significant in densely populated urban areas or office environments where attackers could easily be within range. The lack of authentication and encryption during setup means that even non-expert attackers could exploit this vulnerability with minimal effort. While no known exploits are currently active in the wild, the potential impact on confidentiality and network security is substantial, especially for organizations relying on Meross devices for automation or energy management. This vulnerability could also erode trust in IoT device security, leading to reputational damage for organizations deploying these devices.
Mitigation Recommendations
To mitigate this vulnerability, European organizations and users should take the following specific actions: 1) Immediately check for firmware updates from Meross that address this vulnerability and apply them as soon as they become available. 2) During device setup, perform the configuration in a controlled environment where unauthorized wireless access is minimized, such as a secured room or using a temporary isolated Wi-Fi network. 3) Avoid setting up the device in public or high-traffic areas to reduce the risk of attackers intercepting the setup traffic. 4) After setup, change the Wi-Fi network password regularly and monitor network logs for any unauthorized access attempts. 5) Segment IoT devices on a separate VLAN or network segment to limit the impact of compromised devices on critical organizational infrastructure. 6) Use network monitoring tools to detect unusual wireless connections or traffic patterns around the IoT devices. 7) If possible, disable the device's open AP mode after setup or restrict its wireless range using physical or configuration controls. 8) Educate users and administrators about the risks of insecure IoT device provisioning and encourage best practices for secure onboarding. 9) Consider alternative IoT devices with stronger security postures if firmware updates are unavailable or delayed. These steps go beyond generic advice by focusing on operational controls during device provisioning and network segmentation to contain potential breaches.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Austria
CVE-2021-3774: CWE-319 Cleartext Transmission of Sensitive Information in Meross Meross Smart Wi-Fi 2 Way Wall Switch
Description
Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X), on its 3.1.3 version and before, creates an open Wi-Fi Access Point without the required security measures in its initial setup. This could allow a remote attacker to obtain the Wi-Fi SSID as well as the password configured by the user from Meross app via Http/JSON plain request.
AI-Powered Analysis
Technical Analysis
CVE-2021-3774 is a vulnerability affecting the Meross Smart Wi-Fi 2 Way Wall Switch (model MSS550X) in firmware versions 3.1.3 and earlier. During the initial setup process, the device creates an open Wi-Fi Access Point (AP) without implementing adequate security controls. This unsecured AP allows a remote attacker within wireless range to connect and intercept communications between the Meross app and the device. Specifically, the device transmits sensitive configuration data, including the Wi-Fi SSID and password, in cleartext via HTTP/JSON requests. Because these credentials are sent without encryption or authentication, an attacker can easily capture them by monitoring network traffic or directly querying the device. This vulnerability falls under CWE-319, which concerns the cleartext transmission of sensitive information. The lack of encryption and authentication during the setup phase exposes users to credential theft, potentially enabling unauthorized access to the victim's home Wi-Fi network and connected IoT devices. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to user privacy and network security. The issue is rooted in insecure design choices during the device's provisioning stage, where convenience was prioritized over security, resulting in an open AP and unprotected data exchange. The vulnerability affects all devices running firmware version 3.1.3 or earlier, and no official patch or mitigation has been linked in the provided data. The device's reliance on HTTP rather than HTTPS for transmitting sensitive information is a critical weakness that facilitates easy interception by attackers within wireless range. This vulnerability highlights the importance of secure onboarding processes for IoT devices, including encrypted communication channels and authentication mechanisms to protect sensitive user data from exposure during setup.
Potential Impact
For European organizations and consumers, this vulnerability can lead to unauthorized disclosure of Wi-Fi credentials, which compromises the confidentiality of the home or office network. Attackers gaining access to the Wi-Fi network can further exploit other connected devices, potentially leading to lateral movement within the network, data theft, or disruption of services. In environments where Meross switches are deployed in smart buildings, offices, or critical infrastructure, this could undermine operational integrity and availability. The exposure of Wi-Fi credentials also increases the risk of man-in-the-middle attacks, network eavesdropping, and unauthorized control of IoT devices. Although the vulnerability requires proximity to the device's wireless signal, the risk remains significant in densely populated urban areas or office environments where attackers could easily be within range. The lack of authentication and encryption during setup means that even non-expert attackers could exploit this vulnerability with minimal effort. While no known exploits are currently active in the wild, the potential impact on confidentiality and network security is substantial, especially for organizations relying on Meross devices for automation or energy management. This vulnerability could also erode trust in IoT device security, leading to reputational damage for organizations deploying these devices.
Mitigation Recommendations
To mitigate this vulnerability, European organizations and users should take the following specific actions: 1) Immediately check for firmware updates from Meross that address this vulnerability and apply them as soon as they become available. 2) During device setup, perform the configuration in a controlled environment where unauthorized wireless access is minimized, such as a secured room or using a temporary isolated Wi-Fi network. 3) Avoid setting up the device in public or high-traffic areas to reduce the risk of attackers intercepting the setup traffic. 4) After setup, change the Wi-Fi network password regularly and monitor network logs for any unauthorized access attempts. 5) Segment IoT devices on a separate VLAN or network segment to limit the impact of compromised devices on critical organizational infrastructure. 6) Use network monitoring tools to detect unusual wireless connections or traffic patterns around the IoT devices. 7) If possible, disable the device's open AP mode after setup or restrict its wireless range using physical or configuration controls. 8) Educate users and administrators about the risks of insecure IoT device provisioning and encourage best practices for secure onboarding. 9) Consider alternative IoT devices with stronger security postures if firmware updates are unavailable or delayed. These steps go beyond generic advice by focusing on operational controls during device provisioning and network segmentation to contain potential breaches.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- INCIBE
- Date Reserved
- 2021-09-06T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9841c4522896dcbf1d7b
Added to database: 5/21/2025, 9:09:21 AM
Last enriched: 6/23/2025, 9:25:19 PM
Last updated: 8/6/2025, 11:27:53 PM
Views: 18
Related Threats
CVE-2025-8983: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8982: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8981: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-50862: n/a
MediumCVE-2025-50861: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.