Kaspersky Lab publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky Lab does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.
| KL-IDS | KLCERT-18-005 |
| CVE-IDS | CVE-2018-15125 |
| Publication date | 2018.08.08 |
| Researcher | Andrey Muravitsky, Critical Infrastructure Defense Team, Kaspersky Lab ICS CERT |
| Description | A remote attacker can get sensitive information that expands attack surface. |
| Impact | An unauthenticated attacker may be able to extract sensitive information about alive Zipatobox devices and their technical information. |
| Severity | |
| CVSS v3 Base Score: | 8.6 |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| Exploitability | Remotely |
| Difficulty | Low |
| User interaction | None |
| Existence of exploit | Unknown |
| Affected products | |
| Affected products | Zipato Zipabox (smart home controller) |
| Mitigation | |
| Vendor mitigation | Vendor stopped responding on our emails. |
| Timeline | 2018.01.12 – Vulnerabilities reported 2018.01.29 – First feedback from vendor 2018.06.06 – Vendor notifies that some vulnerabilities are fixed 2018.07.07 – Reminder sent to vendor No feedback form vendor |