Snap One Wattbox WB-300-IP-3

Plan Patch7.5ICS-CERT ICSA-23-026-03Jan 26, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Snap One Wattbox WB-300-IP-3 firmware versions WB10.9a17 and earlier contain multiple vulnerabilities including weak password mechanisms (CWE-307), buffer overflow (CWE-122), insufficient protection of credentials (CWE-256), and improper access control (CWE-345). These flaws allow remote code execution, password brute force attacks, and device bricking without authentication. Snap One has released firmware version WB10.B929 as a patch. Devices running older firmware with no update path are at risk.

What this means

What could happen

An attacker with network access to a Wattbox WB-300-IP-3 could remotely execute code on the device, alter power distribution settings, or render it inoperable by bricking the firmware.

Who's at risk

Water utilities and municipal electric systems that use Snap One Wattbox WB-300-IP-3 intelligent power distribution units (PDUs) to manage power to remote telemetry, SCADA, or field devices. Anyone relying on this device for remote reboot capability or outlet control should prioritize this advisory.

How it could be exploited

An attacker on the network can reach the Wattbox management interface and exploit weak password protections or direct code injection flaws to gain command execution. The device can then be used to control power outlets serving critical equipment or to deny service by corrupting its firmware.

Prerequisites

Network access to the Wattbox WB-300-IP-3 management interface (typically HTTP/HTTPS)
Device running firmware version WB10.9a17 or earlier
No authentication required for some exploit paths

Remotely exploitableNo authentication required for some attack pathsHigh CVSS score (7.5)Can cause denial of service (device bricking)No patch available for older firmware

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (1)

ProductAffected VersionsFix Status

Wattbox WB-300-IP -3: Wattbox WB-300-IP-3:≤ WB10.9a17WB10.B929

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the Wattbox management interface to authorized engineering workstations only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Wattbox WB-300-IP-3 firmware to version WB10.B929 or later

Long-term hardening

0/2

HARDENINGIsolate the Wattbox and all control system devices from the business network and Internet using a DMZ or air-gapped network segment

HARDENINGIf remote access is required, enforce access through a VPN with current security patches, monitoring, and strict authentication

CVEs (4)

CVE-2023-24020 CVE-2023-23582 CVE-2023-22389 CVE-2023-22315

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/90d913db-d201-4531-af56-53fcfed09b51