IP Address Information Disclosure

Summary :

The openapi/device/status API returns IP information in its responses, which may lead to unintended disclosure of the device's public-facing IP address used for external connectivity.

CVSS (Base Score):

7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Conditions:

Given appropriate device credentials (such as keys or tokens), an attacker may call this API and read device IP information from the response.

Risk:

Affected devices risk exposure of public IP addresses, which could allow attackers to conduct further scanning and probing.

Impact Scope:

Device status query scenarios involving confidentiality of IP and related network identifiers.

Remediation Steps:

This API has been disabled.

Acknowledgment

We thank Sammy Azdoufal for valuable assistance in discovering this vulnerability and coordinating responsible disclosure.