Multiple Security Issues in EMQX Component

9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

Attackers can directly access the EMQX service over the network, subscribe to all user messages by abusing missing device-level authentication, or log in to the console with default credentials to view information.

This vulnerability may lead to leakage of communication data between users and devices, and attackers may obtain system messages via the console.

This issue affects the deprecated EMQX component on devices below version 3.0.0.

The legacy EMQX component has been fully retired and stopped. Devices running versions prior to 3.0.0 must be upgraded. The current supported release is 6.0.1.