An issue was discovered in imonnit.com (2025-04-24) allowing malicious actors to gain escalated privileges via crafted password reset to take over arbitrary user accounts.
The flaw classified as CWE-640 indicates a defective password recovery mechanism. An attacker can send a crafted password reset request which, due to improper validation or predictable tokens, allows setting a new password for any account. As a result, the attacker gains escalated privileges and full control over the chosen account without knowledge of the original login credentials.
An attacker can take control of any user account on the iMonnit platform, gaining full access to data, sensor configurations, and administrative functions assigned to the compromised account.
Apply patches available from the vendor according to references. It is also recommended to enforce re-authentication for all active sessions, review password reset logs for abuse, and implement monitoring of anomalous password reset requests.
Monnit iMonnit platform (imonnit.com) — version identified on 2025-04-24; specific versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMonnit Imonnit
APPMonnitwszystkie wersje