CVE-2023-46380 identifies a vulnerability in several LOYTEC devices including LINX-151, LINX-212, LVIS-3ME12-A1, LIOB-586, LIOB-580 V2, LIOB-588, and L-INX Configurator, where password-change requests are sent via cleartext HTTP. This means that when a user or system initiates a password change, the request containing the new password is transmitted without encryption, making it susceptible to interception by any attacker with network access. The vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information) and has a CVSS 3.1 base score of 7.5, indicating high severity. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality (C:H) but not integrity or availability. The scope is unchanged (S:U), meaning the vulnerability affects only the vulnerable component. Since these devices are commonly used in building automation and control systems, interception of password-change requests could allow attackers to obtain credentials and gain unauthorized access to device management interfaces. No patches or updates have been published yet, and no known exploits are reported in the wild. The vulnerability poses a significant risk in environments where these devices are deployed on networks without adequate encryption or segmentation.

For European organizations, especially those managing smart buildings, industrial control systems, or critical infrastructure using LOYTEC devices, this vulnerability presents a serious confidentiality risk. Attackers on the same network segment can intercept password-change requests, potentially capturing administrative credentials. This could lead to unauthorized access, manipulation of building automation systems, or disruption of services. The impact is heightened in environments lacking network segmentation or encrypted communication channels. Confidentiality breaches could expose sensitive operational data and control mechanisms, undermining trust and potentially causing operational disruptions. Given the widespread use of LOYTEC devices in commercial and industrial buildings across Europe, the vulnerability could affect sectors such as energy management, facility management, and public infrastructure. The absence of known exploits suggests the threat is currently theoretical but could be exploited if attackers gain network access.

Since no patches are currently available, European organizations should implement immediate compensating controls. First, isolate LOYTEC devices on dedicated, segmented networks with strict access controls to limit exposure to untrusted users. Employ VPNs or secure tunnels (e.g., IPsec, TLS-based VPNs) for remote management to encrypt all traffic, preventing interception of sensitive requests. Monitor network traffic for unusual HTTP requests or password-change attempts to detect potential reconnaissance or exploitation. Disable remote management over untrusted networks if possible. Where feasible, replace or upgrade devices to versions supporting encrypted communication protocols. Educate administrators on the risks of transmitting sensitive data in cleartext and enforce strong password policies. Regularly audit device configurations and network architecture to ensure adherence to security best practices. Engage with LOYTEC support channels for updates or patches addressing this vulnerability.