CVE-2024-0390: Hard-coded credentials in iZZi connect application

9.8 CVSS

Description

INPRAX "iZZi connect" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access to manage and read parameters of the recuperation unit "reQnet iZZi".This issue affects "iZZi connect" application versions before 2024010401.

Classification

CVE ID: CVE-2024-0390

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

Problem Types

CWE-798 Use of Hard-coded Credentials

Affected Products

Vendor: INPRAX

Product: iZZi connect

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.24% (probability of being exploited)

EPSS Percentile: 44.75% (scored less or equal to compared to others)

EPSS Date: 2025-04-11 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-0390
https://cert.pl/en/posts/2024/02/CVE-2024-0390/
https://cert.pl/posts/2024/02/CVE-2024-0390/

Timeline

2025-03-13 18:40:14 UTC
CVE

Hard-coded credentials in iZZi connect application