Skip to main content

CVE-2023-42143: n/a in n/a

Medium
VulnerabilityCVE-2023-42143cvecve-2023-42143
Published: Tue Jan 23 2024 (01/23/2024, 00:00:00 UTC)
Source: CVE Database V5
Vendor/Project: n/a
Product: n/a

Description

Missing Integrity Check in Shelly TRV 20220811-152343/v2.1.8@5afc928c allows malicious users to create a backdoor by redirecting the device to an attacker-controlled machine which serves the manipulated firmware file. The device is updated with the manipulated firmware.

AI-Powered Analysis

AILast updated: 07/08/2025, 16:26:26 UTC

Technical Analysis

CVE-2023-42143 is a medium-severity vulnerability affecting Shelly TRV smart thermostatic radiator valves, specifically version 20220811-152343/v2.1.8@5afc928c. The core issue is a missing integrity check during the firmware update process. This flaw allows an attacker with network access and limited privileges (PR:L) to redirect the device to an attacker-controlled server that hosts a manipulated firmware image. Because the device does not verify the integrity of the firmware before applying it, the malicious firmware is installed, effectively creating a backdoor on the device. This backdoor could be used for persistent unauthorized access or further attacks within the network. The vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L), but requires some user interaction (UI:R), such as triggering the update process or redirecting the device’s update request. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact includes limited confidentiality and integrity loss (C:L/I:L) but no impact on availability (A:N). No known exploits have been reported in the wild to date, and no official patches or vendor advisories are currently linked. The vulnerability is categorized under CWE-354 (Improper Integrity Check).

Potential Impact

For European organizations, the impact of this vulnerability can be significant, especially for those deploying Shelly TRV devices in smart building environments, offices, or residential complexes. Compromised devices could serve as footholds for attackers to infiltrate internal networks, potentially leading to lateral movement and data exfiltration. The backdoor created by manipulated firmware could enable persistent access, undermining network integrity and confidentiality. Although the direct impact on availability is low, the presence of unauthorized firmware could disrupt normal device operation or cause privacy violations. Organizations relying on smart building automation and IoT devices without robust network segmentation or monitoring are particularly at risk. The vulnerability also raises compliance concerns under GDPR if personal or sensitive data is indirectly exposed through compromised devices. Given the increasing adoption of IoT in European smart cities and enterprises, this vulnerability could be exploited to target critical infrastructure or high-value commercial environments.

Mitigation Recommendations

1. Network Segmentation: Isolate Shelly TRV devices on dedicated VLANs or network segments with strict access controls to limit exposure to untrusted networks or users. 2. Firmware Update Verification: Until an official patch is released, implement network-level controls such as firewall rules or DNS filtering to prevent devices from reaching unauthorized update servers. 3. Monitor Network Traffic: Deploy anomaly detection to identify unusual DNS queries or connections from Shelly TRVs to unknown IP addresses, which may indicate redirection attempts. 4. Access Control Hardening: Restrict administrative access to the devices and ensure strong authentication mechanisms are in place to prevent unauthorized configuration changes. 5. Vendor Engagement: Engage with Shelly or the device vendor to obtain official patches or firmware updates that include integrity verification. 6. Incident Response Preparedness: Develop procedures to quickly isolate and remediate affected devices if compromise is suspected. 7. User Awareness: Educate facility managers and IT staff about the risks of unauthorized firmware updates and the importance of verifying update sources.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2023-09-08T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6839c41d182aa0cae2b43571

Added to database: 5/30/2025, 2:43:41 PM

Last enriched: 7/8/2025, 4:26:26 PM

Last updated: 8/15/2025, 9:06:05 AM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats