CVE-2023-46889

CVE-2023-46889 is a medium-severity vulnerability in Meross Msh30q Firmware with a CVSS 3.x base score of 5.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-319.

Key facts

Description

Meross MSH30Q 4.5.23 is vulnerable to Cleartext Transmission of Sensitive Information. During the device setup phase, the MSH30Q creates an unprotected Wi-Fi access point. In this phase, MSH30Q needs to connect to the Internet through a Wi-Fi router. This is why MSH30Q asks for the Wi-Fi network name (SSID) and the Wi-Fi network password. When the user enters the password, the transmission of the Wi-Fi password and name between the MSH30Q and mobile application is observed in the Wi-Fi network. Although the Wi-Fi password is encrypted, a part of the decryption algorithm is public so we complemented the missing parts to decrypt it.

Frequently asked questions

What is CVE-2023-46889?
Meross MSH30Q 4.5.23 is vulnerable to Cleartext Transmission of Sensitive Information. During the device setup phase, the MSH30Q creates an unprotected Wi-Fi access point. In this phase, MSH30Q needs to connect to the Internet through a Wi-Fi router. This is why MSH30Q asks for the Wi-Fi network name (SSID) and the Wi-Fi network password. When the user enters the password, the transmission of the Wi-Fi password and name between the MSH30Q and mobile application is observed in the Wi-Fi network. Although the Wi-Fi password is encrypted, a part of the decryption algorithm is public so we complemented the missing parts to decrypt it.
How severe is CVE-2023-46889?
CVE-2023-46889 has a CVSS 3.x base score of 5.7, rated medium severity. It is exploitable over an adjacent network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2023-46889 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (6th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2023-46889?
CVE-2023-46889 affects Meross Msh30q Firmware. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2023-46889?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2023-46889 have an EU (EUVD) identifier?
Yes. CVE-2023-46889 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-51055.
When was CVE-2023-46889 published?
CVE-2023-46889 was published on 2024-01-23 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Meross Msh30q Firmware

All CVEs affecting Meross Msh30q Firmware →

Other CWE-319 (Cleartext Transmission of Sensitive Information) vulnerabilities

Browse all CWE-319 (Cleartext Transmission of Sensitive Information) vulnerabilities →