CVE-2023-36623 in Miniserver Go Gen.2
Summary
by MITRE • 07/05/2023
The root password of the Loxone Miniserver Go Gen.2 before 14.2 is calculated using hard-coded secrets and the MAC address. This allows a local user to calculate the root password and escalate privileges.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/14/2026
The vulnerability identified as CVE-2023-36623 affects the Loxone Miniserver Go Gen.2 device firmware versions prior to 14.2, presenting a critical security flaw that undermines the device's authentication mechanisms. This weakness stems from a flawed cryptographic implementation where the root password derivation process relies on hard-coded secrets combined with the device's unique MAC address to generate access credentials. The vulnerability represents a fundamental failure in secure credential generation practices, as it exposes the underlying algorithm used to compute root passwords to local attackers who possess basic system information.
The technical implementation of this flaw demonstrates poor security design principles and violates established cryptographic best practices. The use of hard-coded secrets in conjunction with deterministic inputs such as MAC addresses creates a predictable password generation scheme that can be reverse-engineered by attackers with local access. This approach directly contravenes the principle of entropy in cryptographic systems, where passwords should be generated using cryptographically secure random number generators with sufficient entropy to prevent brute force or reverse engineering attempts. The vulnerability falls under CWE-327, which addresses the use of weak cryptographic algorithms, and more specifically aligns with CWE-326, concerning the use of insecure or weak cryptographic algorithms.
From an operational perspective, this vulnerability enables local privilege escalation attacks that can compromise the entire device and potentially affect connected systems within the network. An attacker with physical access or local network presence can calculate the root password by obtaining the device's MAC address and applying the known algorithm, subsequently gaining full administrative control over the Loxone Miniserver. This access level allows for complete system manipulation, including configuration changes, data exfiltration, and potential use as a pivot point for lateral movement within the network. The impact extends beyond the individual device, as the Loxone system often serves as a central control point for building automation, potentially affecting security, heating, lighting, and other critical infrastructure systems.
The attack surface for this vulnerability is relatively limited to local access scenarios, but the implications are severe due to the privileged access level gained. According to ATT&CK framework, this vulnerability maps to T1068, which covers 'Local Privilege Escalation' and T1566, covering 'Phishing via Social Engineering' if attackers use social engineering to gain initial local access. The vulnerability also relates to T1078, 'Valid Accounts', as it exploits legitimate account generation mechanisms that should remain secure. Organizations should consider implementing network segmentation and access controls to limit local network access, while also ensuring that firmware updates are deployed promptly to address the hard-coded secret implementation. The recommended mitigation includes immediate firmware upgrades to version 14.2 or later, which should implement proper cryptographic key derivation functions such as PBKDF2 or similar secure methods that incorporate sufficient entropy and avoid hard-coded components in password generation processes.