Digital Communications Technologies (DCT)-made Syrus4 IoT gateway, a component of the electronics stack of numerous automotive fleets, was found to be vulnerable to a remote code execution flaw (CVE-2023-6248) which has been rated with a CVSS score of 10.
The flaw stems from an unsecured Message Queue Telemetry Transport (MQTT) server which sends code to the Syrus4 IoT gateway via the cloud service to which it is connected. This vulnerability may enable a potential remote and unauntheticated attacker to execute arbitrary code. Nefarious actions may include - according to press reports - forcing a shutdown of the vehicle.
The risk ramification is that this vulnerability would affect a whole fleet rather than individual vehicles, as indicated by press reports. There are inconsistent reports on the number of potentially exposed vehicles; it appears that there are potentially about 4,000 vulnerable vehicles mainly across the United States and Latin America. However, there are reportedly potential vulnerabilities for 119,000 instances across 49 countries.
The vulnerability has been known since last April; however, according to press reports, the researchers who disclosed it lamented insufficient publicity and remediation actions.