From theregister.com
A vulnerability in Thales’ Cinterion EHS8 M2M module, a Java-powered embedded 3G system used in millions of Internet-of-Things devices for connectivity, was revealed yesterday by IBM’s X-Force Red.
The bug (CVE-2020-15858), disclosed to Thales and addressed in a patch made available to IoT vendors in February, makes it possible for an attacker to, for instance, extract the code and other resources from a vulnerable device. This information could be reverse-engineered to find vulnerabilities to exploit, and secret keys and passwords to extract, potentially leading to miscreants hijacking the hardware and/or gaining access to its network.