Security researchers at Kaspersky's ICS CERT division revealed critical vulnerabilities in Telit Cinterion cellular modems, which are popularly used in the industrial, healthcare, and telecommunications sectors, BleepingComputer reports.
The flaws include a heap overflow issue designated as CVE-2023-47610 that could enable remote code execution via SMS, with NIST rating its severity as 9.8 out of 10. Attackers can exploit this flaw to execute arbitrary code remotely without authentication, posing serious risks to device integrity and network security. The seven other discovered vulnerabilities and one that's not yet been registered have received a lower severity score but can still be exploited to compromise the integrity of MIDlets. The group's research focused on the Cinterion EHS5-E series modem, but the vulnerabilities also affect the Cinterion BGS5, Cinterion EHS5/6/7, Cinterion PDS5/6/8, Cinterion ELS61/81, and the Cinterion PLS62 due to having similar hardware and software.
While Telit has addressed some vulnerabilities, others remain unpatched, leaving devices susceptible to exploitation. Mitigation strategies offered by Kaspersky include disabling SMS sending, enforcing application signature verification, and securing physical access to devices.