Viessmann Climate Solutions SE Vitogate 300

Act Now9.8ICS-CERT ICSA-24-254-01Sep 10, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Viessmann Vitogate 300 firmware versions 2.1.3.0 and earlier contain hardcoded credentials (CWE-798), insecure protocol handling (CWE-425), and command injection vulnerabilities (CWE-77). These flaws allow remote code execution without authentication. Viessmann recommends updating to version 3.0.0.0. Affected devices are heating system gateways used in building automation for temperature control and diagnostics. Exploitation is straightforward with high probability (EPSS 93.6%).

What this means

What could happen

An attacker with network access to the Vitogate 300 could execute arbitrary code on the device, potentially taking control of heating system operations, setpoints, and diagnostics in residential and commercial buildings.

Who's at risk

Building automation technicians and facilities managers operating Viessmann Vitogate 300 heating/HVAC control gateways in residential complexes, commercial buildings, and district heating systems. Any organization using Vitogate 300 as the primary controller for building climate control is at risk.

How it could be exploited

An attacker with network access to the Vitogate 300 (default or misconfigured network exposure) can send a specially crafted network request to trigger hardcoded credentials (CWE-798) or command injection (CWE-77) to achieve remote code execution without authentication.

Prerequisites

Network access to the Vitogate 300 device (port unspecified; verify with Viessmann)
No authentication required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (93.6%)no patch available yetaffects building automation/climate control systems

Exploitability

High exploit probability (EPSS 93.6%)

Affected products (1)

ProductAffected VersionsFix Status

Viessmann Vitogate 300: <=2.1.3.0≤ 2.1.3.03.0.0.0

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to Vitogate 300 devices using firewall rules; block all inbound traffic from untrusted networks and the internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Vitogate 300 to firmware version 3.0.0.0 or later

Long-term hardening

0/2

HARDENINGIsolate the heating system network from the business/IT network using a firewall or air-gap

HARDENINGIf remote access is required, deploy a VPN and keep it updated; ensure VPN credentials are strong and unique

CVEs (3)

CVE-2023-5222 CVE-2023-5702 CVE-2023-45852

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7a5161dd-09e1-4680-b7ca-7e110040c340