Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Critical Flaws Expose Mimosa Wireless Broadband Devices to Remote Attacks

A researcher has discovered several critical vulnerabilities in wireless broadband products made by Mimosa Networks. The flaws can expose affected devices to remote attacks.

Mimosa, a division of Airspan, provides wireless broadband solutions that can be used to connect dense urban homes, as well as hard-to-reach rural homes.

A researcher has discovered several critical vulnerabilities in wireless broadband products made by Mimosa Networks. The flaws can expose affected devices to remote attacks.

Mimosa, a division of Airspan, provides wireless broadband solutions that can be used to connect dense urban homes, as well as hard-to-reach rural homes.

Mimosa vulnerabilitiesAccording to an advisory published last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Mimosa’s management platform (MMP), as well as its point-to-point (PTP) and point-to-multipoint (PTMP) products are affected by seven types of vulnerabilities.

Four of the security holes have been assigned a severity rating of “critical,” including issues that can be exploited for remote code execution, obtaining sensitive information, and causing a denial-of-service (DoS) condition. Two of the remaining flaws, which can be exploited for arbitrary code execution and obtaining sensitive information, have been rated “high severity.”

Mimosa has released updates that should patch these vulnerabilities.

SecurityWeek has reached out to Noam Moshe, vulnerability researcher at industrial and IoT security firm Claroty, who has been credited for finding the flaws.

Moshe says the vulnerabilities can be exploited remotely from the internet — the attacker only needs to be able to access the cloud-based management web interface. The security holes expose all cloud-connected devices to attacks.

“Before the vulnerabilities were patched, to exploit these vulnerabilities an attacker would have needed to send specially crafted requests to the cloud servers in order to gain full access,” the researcher explained.

He added, “By exploiting these vulnerabilities, a remote attacker could exfiltrate sensitive data from all cloud-connected devices, including the device’s real-life locations, shared secrets and internal data of the company that owns the device. Furthermore, attackers could even achieve remote code execution on field internet-supplying devices, gaining full control of the devices and full access to any information being kept on them.”

According to CISA, the vulnerabilities have been patched by Mimosa with the release of version 1.0.4 of MMP and version 2.90 for the impacted PTP and PTMP products.

Related: FragAttacks: New Vulnerabilities Expose All Devices With Wi-Fi to Attacks

Related: Vulnerabilities in Realtek Wi-Fi Module Expose Many Devices to Remote Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.