CVE-2022-35136 is a medium severity vulnerability affecting the Boodskap IoT Platform version 4.4.9-02. The vulnerability allows attackers to make unauthenticated API requests, which means that an attacker can interact with the platform's API without providing valid credentials or authentication tokens. This type of vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), indicating that critical functions are accessible without proper authentication controls. The CVSS 3.1 base score is 6.5, reflecting a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) indicates that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), requires low privileges (PR:L), and no user interaction (UI:N). The scope is unchanged (S:U), confidentiality impact is none (C:N), integrity impact is high (I:H), and availability impact is none (A:N). This means that while the attacker cannot access confidential data, they can modify or manipulate data or system state, potentially causing significant integrity issues. The lack of authentication on API endpoints can lead to unauthorized commands or data manipulation, which is critical in IoT environments where device control and data integrity are paramount. The absence of patches or mitigation links suggests that organizations may need to rely on configuration changes or vendor updates once available. No known exploits in the wild have been reported to date, but the vulnerability's nature makes it a significant risk for IoT deployments using this platform.

For European organizations deploying the Boodskap IoT Platform, this vulnerability poses a significant risk to the integrity of IoT device management and data. Unauthorized API access can allow attackers to alter device configurations, inject malicious commands, or disrupt normal operations without detection. This could lead to operational disruptions, safety hazards, or compromised data integrity in critical infrastructure sectors such as manufacturing, smart cities, energy management, and healthcare IoT systems. Given the increasing reliance on IoT for automation and monitoring, integrity breaches can cascade into broader system failures or safety incidents. The lack of confidentiality impact means sensitive data leakage is less of a concern, but the ability to alter system state without authentication can undermine trust and compliance with European regulations like GDPR and NIS Directive, especially if system integrity is tied to personal data processing or critical infrastructure. The medium severity rating suggests that while the vulnerability is serious, exploitation requires some level of privilege (low privileges), which may limit the attack surface but does not eliminate risk, especially in environments with weak internal access controls.

European organizations should immediately audit their Boodskap IoT Platform deployments to identify if they are running vulnerable versions (4.4.9-02). Until an official patch is released, organizations should implement strict network segmentation to isolate IoT platforms from untrusted networks and restrict API access to trusted management networks only. Employing strong access control lists (ACLs) and firewall rules to limit API endpoint exposure is critical. Additionally, organizations should monitor API traffic for anomalous or unauthorized requests and implement logging and alerting mechanisms to detect potential exploitation attempts. Where possible, enforce multi-factor authentication (MFA) or additional authentication layers at the network perimeter or API gateway level to compensate for the platform's authentication weakness. Regularly review and update credentials and API keys, and consider deploying Web Application Firewalls (WAFs) with custom rules to block unauthorized API calls. Engage with the vendor or community to obtain patches or updates and plan for timely deployment once available. Finally, conduct security awareness training for administrators managing the IoT platform to recognize and respond to suspicious activities promptly.