CVE-2022-35135 is a high-severity vulnerability affecting the Boodskap IoT Platform version 4.4.9-02. The vulnerability allows an attacker with some level of privileges (PR:L indicates that the attacker must have low privileges) to escalate their privileges by sending a specially crafted request to the endpoint /api/user/upsert/<uuid>. This endpoint likely handles user creation or modification operations. The vulnerability is classified under CWE-287, which relates to improper authentication, indicating that the platform fails to properly verify the authenticity or authorization of the requestor before allowing user privilege modifications. The CVSS 3.1 score of 8.8 reflects a high impact on confidentiality, integrity, and availability, with network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality (C:H), integrity (I:H), and availability (A:H). This means an attacker with low privileges can remotely exploit this vulnerability without user interaction to gain higher privileges, potentially full administrative control over the IoT platform. Given the nature of IoT platforms, such privilege escalation could lead to unauthorized control over connected devices, data exfiltration, or disruption of IoT services. No public exploits are currently known in the wild, and no patch links are provided, suggesting that remediation might require vendor intervention or updates. The vulnerability was published on October 13, 2022, and was reserved since July 4, 2022.

For European organizations using the Boodskap IoT Platform, this vulnerability poses a significant risk. IoT platforms often manage critical infrastructure, industrial control systems, smart building management, or other operational technology environments. Successful exploitation could allow attackers to gain administrative privileges, leading to unauthorized device control, data breaches, or service disruption. This could affect confidentiality through data theft, integrity by unauthorized modification of device configurations or commands, and availability by disabling IoT services or devices. The high severity and network exploitability mean attackers can operate remotely, increasing the risk of widespread impact. Organizations in sectors such as manufacturing, energy, transportation, and smart cities are particularly vulnerable. Additionally, the lack of a public patch or exploit means organizations must proactively assess and mitigate the risk to prevent potential future exploitation. The impact extends beyond IT to operational technology, potentially causing physical consequences or safety hazards.

European organizations should immediately audit their use of the Boodskap IoT Platform to identify affected versions, specifically version 4.4.9-02. If possible, upgrade to a patched version once available from the vendor. In the absence of a patch, implement strict network segmentation to isolate the IoT platform from general enterprise networks and restrict access to the /api/user/upsert/<uuid> endpoint to trusted administrators only. Employ strong authentication and authorization controls around the platform, including multi-factor authentication for all users with any privileges. Monitor logs and network traffic for unusual requests targeting the user upsert API endpoint. Conduct regular vulnerability assessments and penetration testing focused on IoT platforms. Additionally, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious crafted requests targeting user management endpoints. Establish an incident response plan specific to IoT platform compromise scenarios. Engage with the vendor for timely updates and security advisories. Finally, educate administrators on the risks of privilege escalation and the importance of secure API usage.