Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Critical Flaws Expose Mimosa Wireless Broadband Devices to Remote Attacks

A researcher has discovered several critical vulnerabilities in wireless broadband products made by Mimosa Networks. The flaws can expose affected devices to remote attacks.

Mimosa, a division of Airspan, provides wireless broadband solutions that can be used to connect dense urban homes, as well as hard-to-reach rural homes.

A researcher has discovered several critical vulnerabilities in wireless broadband products made by Mimosa Networks. The flaws can expose affected devices to remote attacks.

Mimosa, a division of Airspan, provides wireless broadband solutions that can be used to connect dense urban homes, as well as hard-to-reach rural homes.

Mimosa vulnerabilitiesAccording to an advisory published last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Mimosa’s management platform (MMP), as well as its point-to-point (PTP) and point-to-multipoint (PTMP) products are affected by seven types of vulnerabilities.

Four of the security holes have been assigned a severity rating of “critical,” including issues that can be exploited for remote code execution, obtaining sensitive information, and causing a denial-of-service (DoS) condition. Two of the remaining flaws, which can be exploited for arbitrary code execution and obtaining sensitive information, have been rated “high severity.”

Mimosa has released updates that should patch these vulnerabilities.

SecurityWeek has reached out to Noam Moshe, vulnerability researcher at industrial and IoT security firm Claroty, who has been credited for finding the flaws.

Moshe says the vulnerabilities can be exploited remotely from the internet — the attacker only needs to be able to access the cloud-based management web interface. The security holes expose all cloud-connected devices to attacks.

“Before the vulnerabilities were patched, to exploit these vulnerabilities an attacker would have needed to send specially crafted requests to the cloud servers in order to gain full access,” the researcher explained.

He added, “By exploiting these vulnerabilities, a remote attacker could exfiltrate sensitive data from all cloud-connected devices, including the device’s real-life locations, shared secrets and internal data of the company that owns the device. Furthermore, attackers could even achieve remote code execution on field internet-supplying devices, gaining full control of the devices and full access to any information being kept on them.”

Advertisement. Scroll to continue reading.

According to CISA, the vulnerabilities have been patched by Mimosa with the release of version 1.0.4 of MMP and version 2.90 for the impacted PTP and PTMP products.

Related: FragAttacks: New Vulnerabilities Expose All Devices With Wi-Fi to Attacks

Related: Vulnerabilities in Realtek Wi-Fi Module Expose Many Devices to Remote Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.