Multiple vulnerabilities in Bosch Remote Programing Software
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2023-49263 CVE-2023-49264 CVE-2023-49265 CVE-2023-49266 CVE-2023-49267 |
| CWE-ID | CWE-256 CWE-321 CWE-319 CWE-521 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Bosch Remote Programing Software (RPS Lite) Client/Desktop applications / Other client software Bosch Remote Programing Software (RPS) Client/Desktop applications / Other client software |
| Vendor |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Unprotected storage of credentials
EUVDB-ID: #VU87500
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-49263
CWE-ID:
CWE-256 - Unprotected Storage of Credentials
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to other users' credentials.
The vulnerability exists due to application stored credentials in plain text in a configuration file on the system. A local user can view contents of the configuration file and gain access to passwords for 3rd party integration.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBosch Remote Programing Software (RPS Lite): before 6.14.100
Bosch Remote Programing Software (RPS): before 6.14.100
External linkshttp://psirt.bosch.com/security-advisories/bosch-sa-099637-bt.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use of Hard-coded Cryptographic Key
EUVDB-ID: #VU87501
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-49264
CWE-ID:
CWE-321 - Use of Hard-coded Cryptographic Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to use of hard-coded cryptographic key. A remote attacker can access and view communications.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBosch Remote Programing Software (RPS): before 6.14.100
Bosch Remote Programing Software (RPS Lite): before 6.14.100
External linkshttp://psirt.bosch.com/security-advisories/bosch-sa-099637-bt.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Cleartext transmission of sensitive information
EUVDB-ID: #VU87502
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-49265
CWE-ID:
CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain access to sensitive information.
The vulnerability exists due to software uses insecure communication channel to transmit sensitive information. A local attacker can gain access to sensitive data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBosch Remote Programing Software (RPS): before 6.14.100
Bosch Remote Programing Software (RPS Lite): before 6.14.100
External linkshttp://psirt.bosch.com/security-advisories/bosch-sa-099637-bt.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Use of Hard-coded Cryptographic Key
EUVDB-ID: #VU87503
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-49266
CWE-ID:
CWE-321 - Use of Hard-coded Cryptographic Key
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to use of hard-coded cryptographic key. A local attacker can access the exported file.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBosch Remote Programing Software (RPS): before 6.14.100
Bosch Remote Programing Software (RPS Lite): before 6.14.100
External linkshttp://psirt.bosch.com/security-advisories/bosch-sa-099637-bt.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Weak password requirements
EUVDB-ID: #VU87504
Risk: Low
CVSSv3.1: 4.5 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-49267
CWE-ID:
CWE-521 - Weak Password Requirements
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform brute-force attack and guess the password.
The vulnerability exists due to weak password requirements. A local attacker can perform a brute-force attack and guess users' passwords.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBosch Remote Programing Software (RPS): before 6.14.100
Bosch Remote Programing Software (RPS Lite): before 6.14.100
External linkshttp://psirt.bosch.com/security-advisories/bosch-sa-099637-bt.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
