Kramer VIA GO² - Multiple Issues Key Vulnerability Information Vulnerabilities Identified: Unauthenticated Arbitrary File Read (CVE-2023-33507) Unauthenticated SQL Injection (Squeely) (CVE-2023-33509) Unauthenticated File Upload Resulting in RCE (CVE-2023-33508) Additional Context: By chaining with a previously discovered privilege escalation flaw through misconfigured Sudo rules (CVE-2021-35064), complete device takeover from an unauthenticated user is possible. Potential Impact: Complete device compromise via RCE or retrieving user passwords via SQL Injection. How to Fix: Update to firmware version 4.0, then apply version 4.0.1.1326 or later. Disclosure Timeline: Issued to CERT NZ: 21/02/2023 Vendor Response: 09/03/2023 Patched Firmware Release: 17/03/2023 CVEs Assigned: 31/05/2023