Vulnerabilities in the Reyee cloud management platform and Reyee OS network appliances could allow threat actors to take over tens of thousands of devices, according to a warning from cybersecurity firm Claroty.

Ruijie devices use the MQTT messaging protocol for communication, where devices authenticate to a broker using a username/password pair, where the username is the serial number and the password is a SHA256 calculation on the reversed serial number.

“This means that by knowing a device’s serial number, we could generate its MQTT username/password pair, and authenticate to Ruijie’s MQTT broker on its behalf. The issue is that serial number is not a strong identifier because it usually follows a sequential pattern,” Claroty warned in an advisory.

After successfully connecting to Ruijie’s MQTT broker, and understanding how the devices would notify the cloud about events and receive commands from it, Claroty discovered that it could retrieve a list of “all cloud connected devices’ serial numbers,” meaning it could generate credentials for any of them.

“This meant that we could perform a wide range of denial-of-service attacks, including disconnecting devices by authenticating on their behalf, and even sending fabricated messages and events to the cloud; sending false data to users of these devices,” the cybersecurity firm says.

Claroty also discovered that Ruijie implemented an RCE-as-a-service mechanism for controlling the cloud connected devices, and that it was possible to impersonate the cloud and send an OS command to all devices.

The security firm said that attackers could correlate a device serial number with the owner’s phone number, that sensitive information could be stolen from cloud accounts, and that an attacker could receive all MQTT messages sent to all devices.

In total, Claroty reported 10 vulnerabilities to Ruijie, including three critical: CVE-2024-47547 (CVSS score of 9.4), a weak password recovery mechanism issue; CVE-2024-48874 (CVSS score of 9.8), a server-side request forgery (SSRF) bug; and CVE-2024-52324 (CVSS score of 9.8), the use of an inherently dangerous function leading to arbitrary command execution.

The security firm also devised an attack called Open Sesame, in which an attacker in the proximity of a Wi-Fi network that uses Ruijie access points could access the internal network without knowing the Wi-Fi credentials.

By being adjacent to a Ruijie access point, an attacker could sniff its raw beacon messages, extract the serial number, then exploit the flaws in Ruijie’s MQTT communication to send commands to the device and establish a reverse shell.

Claroty identified roughly 50,000 devices potentially impacted by these bugs but says that Ruijie has addressed all security defects in its cloud platform and that no user action is required.

Reyee is a secure, cloud-managed network solutions for small and medium-sized businesses (SMBs) developed by Ruijie Networks, a provider of switches, access points, and cloud services to organizations in various sectors, including airports and shopping centers.

Ruijie provides customers with a cloud-based web management portal for the remote management of appliances and networks, on which each device is registered with a serial number and can be claimed by a user who provides that number.

Related: Critical Vulnerability Found in Zabbix Network Monitoring Tool

Related: Network, Meet Cloud; Cloud, Meet Network

Related: Steps to Disrupt Threat Actors Selling Access to Your Environment

Related: Researchers Document New SnailLoad Attack