CVE-2023-36622 in Miniserver Go Gen.2
Summary
by MITRE • 07/05/2023
The websocket configuration endpoint of the Loxone Miniserver Go Gen.2 before 14.1.5.9 allows remote authenticated administrators to inject arbitrary OS commands via the timezone parameter.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/14/2026
The vulnerability identified as CVE-2023-36622 affects the Loxone Miniserver Go Gen.2 device running firmware versions prior to 14.1.5.9. This represents a critical security flaw in the device's websocket configuration endpoint that exposes remote authenticated administrators to potential command injection attacks. The vulnerability specifically resides in how the system processes the timezone parameter within the websocket configuration interface, creating an avenue for malicious command execution that could compromise the entire network infrastructure controlled by the affected device.
The technical flaw stems from insufficient input validation and sanitization within the timezone parameter handling mechanism. When an authenticated administrator accesses the websocket configuration endpoint and submits a specially crafted timezone value, the system fails to properly sanitize the input before processing it within the operating system context. This lack of proper input validation creates a command injection vulnerability that allows attackers to execute arbitrary operating system commands with the privileges of the affected service account. The vulnerability maps directly to CWE-77 which specifically addresses command injection flaws, and aligns with ATT&CK technique T1059.001 for command and scripting interpreter.
The operational impact of this vulnerability extends beyond simple privilege escalation as it provides attackers with complete control over the Miniserver Go Gen.2 device and potentially the broader network ecosystem it manages. An attacker who gains access through this vulnerability could execute malicious commands to modify system configurations, install backdoors, exfiltrate sensitive data, or establish persistent access points within the network. Given that the Loxone Miniserver serves as a central control point for building automation systems, this vulnerability could enable attackers to manipulate critical infrastructure controls including lighting, heating, security systems, and other IoT devices connected to the network. The authenticated nature of the attack means that an attacker would need valid administrative credentials, but this requirement does not significantly mitigate the risk as administrative accounts are often targeted in credential compromise attacks.
Mitigation strategies should prioritize immediate firmware updates to version 14.1.5.9 or later, which contain the necessary patches addressing the command injection vulnerability. Organizations should also implement network segmentation to limit access to the Miniserver device to only authorized personnel and systems. Additional security controls including network access controls, monitoring of websocket configuration endpoint access patterns, and regular credential rotation procedures should be implemented to reduce the attack surface. Security teams should also conduct comprehensive vulnerability assessments of all Loxone devices within their environment to identify potential similar vulnerabilities. The ATT&CK framework suggests implementing detection capabilities around unusual command execution patterns and monitoring for suspicious timezone parameter values that might indicate exploitation attempts. Regular security awareness training for administrators should emphasize the importance of keeping firmware updated and recognizing potential social engineering attempts that might lead to credential compromise.