Snap One OvrC Cloud (Update A)

Plan PatchCVSS 9.1ICS-CERT ICSA-23-136-01May 16, 2023

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

OvrC Pro versions prior to 7.3 contain multiple vulnerabilities in authentication, information disclosure, and device claiming mechanisms. Successful exploitation allows an attacker to impersonate and claim devices without authentication, execute arbitrary code on the platform, and disclose device information. Vulnerabilities include insufficient authentication (CWE-290, CWE-306), information exposure (CWE-204, CWE-319), and insecure UPnP configuration (CWE-420, CWE-912). These flaws affect the cloud management platform's core device registration and code execution functions.

What this means

What could happen

An attacker could impersonate legitimate devices, execute arbitrary code on the OvrC Pro platform, and access sensitive information about connected devices. This could allow unauthorized control of building automation and security systems managed through the cloud platform.

Who's at risk

Building automation and security system operators who use Snap One OvrC Pro for cloud-based device management. This includes property managers, integrators, and facilities teams managing HVAC, lighting, access control, and surveillance systems connected through OvrC.

How it could be exploited

An attacker on the network could exploit insufficient authentication or UPnP discovery mechanisms to claim or register unauthorized devices in the OvrC cloud, then execute arbitrary code with the permissions of the OvrC Pro service. The attack requires network access to the device or its cloud endpoint but no valid credentials or user interaction.

Prerequisites

Network access to OvrC Pro device or cloud endpoint
UPnP enabled (default)
No valid credentials required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.1)

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

OvrC Pro: <7.3<7.37.3

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDisable UPnP on OvrC Pro devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate OvrC Pro to version 7.3 or later via automatic cloud update

Long-term hardening

0/3

HARDENINGPlace OvrC Pro and managed devices behind firewalls; block direct internet access

HARDENINGIsolate OvrC Pro cloud management network from business network where feasible

HARDENINGIf remote access required, use VPN with current patches

CVEs (10)

CVE-2023-28649 CVE-2023-28412 CVE-2023-31241 CVE-2023-31193 CVE-2023-28386 CVE-2023-31245 CVE-2023-31240 CVE-2023-25183 CVE-2024-50380 CVE-2024-50381

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2bf8bd99-5528-4183-944d-c212af7283c2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.