New Rock Technologies Cloud Connected Devices OS Command Injection Vulnerability

A command injection vulnerability has been identified in New Rock Technologies Cloud Connected Devices, including the OM500 IP-PBX, MX8G VoIP Gateway, and NRP1302/P Desktop IP Phone, all versions. This vulnerability allows remote attackers to take control of devices connected to the cloud by improperly handling special elements in the device cloud RPC command process.

Impact

Exploitation of this vulnerability could give an attacker full control over the affected device.

Remediation

New Rock Technologies has not responded to requests for collaboration with CISA to address these vulnerabilities. Users are encouraged to contact New Rock Technologies customer support for more information. CISA recommends minimizing network exposure for control system devices, using firewalls to isolate control system networks from business networks, and employing secure remote access methods such as VPNs.