High-Severity Flaws Uncovered in Bosch Thermostats and Smart Nutrunners

Multiple security vulnerabilities have been disclosed in Bosch BCC100 thermostats and Rexroth NXA015S-36V-B smart nutrunners that, if successfully exploited, could allow attackers to execute arbitrary code on affected systems.

Romanian cybersecurity firm Bitdefender, which discovered the flaw in Bosch BCC100 thermostats last August, said the issue could be weaponized by an attacker to alter the device firmware and implant a rogue version.

Tracked as CVE-2023-49722 (CVSS score: 8.3), the high-severity vulnerability was addressed by Bosch in November 2023.

“A network port 8899 is always open in BCC101/BCC102/BCC50 thermostat products, which allows an unauthenticated connection from a local WiFi network,” the company said in an advisory.

The issue, at its core, impacts the WiFi microcontroller that acts as a network gateway for the thermostat’s logic microcontroller.

By exploiting the flaw, an attacker could send commands to the thermostat, including writing a malicious update to the device that could either render the device inoperable or act as a backdoor to sniff traffic, pivot onto other devices, and other nefarious activities.

Bosch has corrected the shortcoming in firmware version 4.13.33 by closing the port 8899, which it said was used for debugging purposes.

The German engineering and tech company has also been made aware of over two dozen flaws in Rexroth Nexo cordless nutrunners that an unauthenticated attacker could abuse to disrupt operations, tamper with critical configurations, and even install ransomware.

“Given that the NXA015S-36V-B is certified for safety-critical tasks, an attacker could compromise the safety of the assembled product by inducing suboptimal tightening, or cause damage to it due to excessive tightening,” Nozomi Networks said.

The flaws, the operational technology (OT) security firm added, could be used to obtain remote execution of arbitrary code (RCE) with root privileges, and make the pneumatic torque wrench unusable by hijacking the onboard display and disabling the trigger button to demand a ransom.

“Given the ease with which this attack can be automated across numerous devices, an attacker could swiftly render all tools on a production line inaccessible, potentially causing significant disruptions to the final asset owner,” the company added.

Patches for the vulnerabilities, which impact several NXA, NXP, and NXV series devices, are expected to be shipped by Bosch by the end of January 2024. In the interim, users are recommended to limit the network reachability of the device as much as possible and review accounts that have login access to the device.

The development comes as Pentagrid identified several vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices, one which could be leveraged by a user with access to the web interface to execute arbitrary commands as root on the underlying Linux host.