Multiple vulnerabilities have been discovered in Nexx smart devices, which can be used to control garage doors, disable home alarms, and smart plugs. Cybersecurity researcher Sam Sabetan discovered the bugs at the end of 2022, and the US Infrastructure and Cybersecurity Agency (CISA) has issued a security bulletin warning individuals and organizations using Nexx products about the vulnerabilities. In total, the researcher found five vulnerabilities, most of which were assigned a “high” or “critical” danger rating. The most serious of these bugs is CVE-2023-1748, which is related to the fact that Nexx Cloud sets a universal password for all devices registered through the Nexx Home app for Android or iOS. This password is available both in the API communication and in the firmware that comes with the device, so an attacker can easily learn it and send commands to the device via MQTT. Unfortunately, the manufacturer has not yet recognized and fixed the bugs described by the researcher.
