Viessmann Climate Solutions SE Vitogate 300

Act NowCVSS 9.8ICS-CERT ICSA-24-254-01Sep 10, 2024

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Viessmann Vitogate 300 version 2.1.3.0 and earlier contains multiple vulnerabilities including hard-coded credentials (CWE-798), missing authentication (CWE-425), and improper input validation (CWE-77) that allow remote code execution without authentication over the network. The device acts as a building automation gateway controlling heating systems and climate management. Successful exploitation grants an attacker the ability to execute arbitrary code on the gateway.

What this means

What could happen

An attacker with network access to the Vitogate 300 device can execute arbitrary code remotely, potentially allowing them to manipulate heating system control logic, alter building climate settings, or disrupt heating operations across connected systems.

Who's at risk

Building automation and heating system operators who use Viessmann Vitogate 300 gateways to control and monitor large building climate systems. This includes facility managers at offices, hospitals, schools, multi-tenant buildings, and district heating networks that depend on this device to manage boiler and heating distribution control.

How it could be exploited

An attacker on the network sends a crafted request to the Vitogate 300 (which acts as a building automation gateway). The device contains hard-coded credentials and insufficient input validation that allow the attacker to inject commands or bypass authentication, resulting in remote code execution on the gateway device.

Prerequisites

Network access to the Vitogate 300 device (typically port 80/443 for web interface)
No valid credentials required—vulnerabilities allow unauthenticated exploitation

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (93.6%)Affects building automation systems

Exploitability

Likely to be exploited — EPSS score 93.6%

Affected products (1)

ProductAffected VersionsFix Status

Viessmann Vitogate 300: <=2.1.3.0≤ 2.1.3.03.0.0.0

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDBlock inbound internet access to the Vitogate 300 using firewall rules; allow only internal network and VPN connections

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Vitogate 300 firmware to version 3.0.0.0 or later

Long-term hardening

0/1

HARDENINGPlace the Vitogate 300 on an isolated network segment behind a firewall, separate from corporate IT networks and internet-facing systems

CVEs (3)

CVE-2023-5222 CVE-2023-5702 CVE-2023-45852

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7a5161dd-09e1-4680-b7ca-7e110040c340

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.