Impacted Devices and Firmware:<\/strong><\/p>\n\n\n\n Summary: <\/strong><\/p>\n\n\n\n Changing the mail server within the device allows the configured credentials to be sent in plaintext to an attacker via credential pass-back attack.<\/p>\n\n\n\n Description: <\/strong><\/p>\n\n\n\n An individual with administrative access can change the mail server host within the device. An attacker who has obtained administrative access can update the mail server to an attacker controller IP. When the device attempts to authenticate to the mail server, it will pass the previously configured credentials in plaintext to the attacker\u2019s IP.<\/p>\n\n\n\n Recommendation: <\/strong><\/p>\n\n\n\n For users of S-models, upgrade to firmware 1.10.4 or higher which requires SMTP credentials to be re-entered whenever the mail server host is changed. Regardless of the model, AVTECH strongly recommends that users set custom administrative credentials on the device to restrict access to all settings, including SMTP settings. When using E-models, use Room Alert Account or Room Alert Manager, where possible, to send email notifications instead of sending them directly from the device. If the device is not being used to send emails, ensure any SMTP credentials have been removed from the device.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":" May 16, 2024 CVE-2024-33471 Impacted Devices and Firmware: Summary: Changing the mail server within the device allows the configured credentials to be sent in plaintext to an attacker via credential pass-back attack. Description: An individual with administrative access can change the mail server host within the device. An attacker who has obtained administrative access can update […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0},"categories":[300],"tags":[],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\t\n\n