A critical flaw in X-Rite MA-T6 spectrophotometers lets an unauthenticated remote attacker run arbitrary commands because the device fails to verify the origin of a communication channel.
What Is It
CVE-2023-49899 is a critical (CVSS 9.8) vulnerability in the X-Rite MA-T6 device. According to the NVD record, an unauthenticated remote attacker can execute any command on the affected device due to the device not correctly verifying the origin of a communication channel. The weakness is classified as CWE-346 (Origin Validation Error). The CVSS 3.1 vector, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicates the attack is network-reachable, low-complexity, requires no privileges or user interaction, and fully compromises confidentiality, integrity, and availability.
Why It Matters
With a base score of 9.8, this is among the most severe classes of vulnerability. No authentication and no user interaction are required, and successful exploitation grants full command execution on the affected hardware. That combination makes the flaw attractive to attackers who can reach the device over the network.
What's Vulnerable
The affected product is the X-Rite MA-T6, in all versions prior to v2.33. Per the NVD affected-version data, versions from 0 up to (but not including) v2.33 are affected; other versions are listed as unaffected.
Patch Status
The affected version range ends at v2.33, indicating that v2.33 and later are not affected and upgrading to v2.33 or newer is the remediation path. This CVE is not present in the supplied CISA KEV data, so there is no KEV-confirmed active exploitation or KEV-mandated required action associated with it. The NVD record lists the vulnerability status as "Deferred."
Sources
- NVD, CVE-2023-49899: https://nvd.nist.gov/vuln/detail/CVE-2023-49899
- Claroty Team82 Disclosure Dashboard; CVE-2023-49899: https://claroty.com/team82/disclosure-dashboard/cve-2023-49899