Hackread reports that widely used Bosch BCC100 thermostats have been discovered by Bitdefender Labs researchers to be impacted by a vulnerability that could be exploited for malware deployment.
Attackers could leverage the flaw, tracked as CVE-2023-49722, to infiltrate thermostat settings and data, remotely replace device firmware, and distribute malware in BCC100 thermostats versions 1.7.0 HD Version 4.13.22, according to the Bitdefender report. Researchers noted that the security bug stems from the inability of the thermostat's microcontroller which is composed of an STMicroelectronics chip for primary logic and a Hi-Flying chip for Wi-Fi to filter messages from the cloud server, which could include malicious messages that could be used for the delivery of malware. Bosch, which has already issued patches for the bug, urged users to not only apply thermostat firmware updates and modify their default admin passwords, but also curb unneeded internet connectivity for thermostats and restrict unauthorized device access through a firewall.
Attackers could leverage the flaw, tracked as CVE-2023-49722, to infiltrate thermostat settings and data, remotely replace device firmware, and distribute malware in BCC100 thermostats versions 1.7.0 HD Version 4.13.22, according to the Bitdefender report. Researchers noted that the security bug stems from the inability of the thermostat's microcontroller which is composed of an STMicroelectronics chip for primary logic and a Hi-Flying chip for Wi-Fi to filter messages from the cloud server, which could include malicious messages that could be used for the delivery of malware. Bosch, which has already issued patches for the bug, urged users to not only apply thermostat firmware updates and modify their default admin passwords, but also curb unneeded internet connectivity for thermostats and restrict unauthorized device access through a firewall.
