CVE-2019-11523

moderate-risk
Published 2019-06-06

Anviz Global M3 Outdoor RFID Access Control executes any command received from any source. No authentication/encryption is done. Attackers can fully interact with the device: for example, send the "open door" command, download the users list (which includes RFID codes and passcodes in cleartext), or update/create users. The same attack can be executed on a local network and over the internet (if the device is exposed on a public IP address).

Do I need to act?

~
2.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

M3 Firmware

Affected Vendors

Anviz

References (2)

Exploit https://github.com/wizlab-it/anviz-m3-rfid-cve-2019-11523-poc
Exploit https://github.com/wizlab-it/anviz-m3-rfid-cve-2019-11523-poc
43
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 6/34 · Minimal
Exposure 5/34 · Minimal