top of page
Clipeus

Critical Vulnerability Impacting Automotive Component

Digital Communications Technologies (DCT)-made Syrus4 IoT gateway, a component of the electronics stack of numerous automotive fleets, was found to be vulnerable to a remote code execution flaw (CVE-2023-6248) which has been rated with a CVSS score of 10.


The flaw stems from an unsecured Message Queue Telemetry Transport (MQTT) server which sends code to the Syrus4 IoT gateway via the cloud service to which it is connected. This vulnerability may enable a potential remote and unauntheticated attacker to execute arbitrary code. Nefarious actions may include - according to press reports - forcing a shutdown of the vehicle.


The risk ramification is that this vulnerability would affect a whole fleet rather than individual vehicles, as indicated by press reports. There are inconsistent reports on the number of potentially exposed vehicles; it appears that there are potentially about 4,000 vulnerable vehicles mainly across the United States and Latin America. However, there are reportedly potential vulnerabilities for 119,000 instances across 49 countries.


The vulnerability has been known since last April; however, according to press reports, the researchers who disclosed it lamented insufficient publicity and remediation actions.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to info@clipeusintelligence.com with your inquiry. We would be glad to assist you

bottom of page