Missing authentication for local web interface in Arc before v1.6.0

Last update: 2024-05-20

Advisory IDNN-2023:13-01
TopicMissing authentication for local web interface in Arc before v1.6.0
CWE ImpactCWE-306: Missing Authentication for Critical Function
Issue date2024-05-15
AffectsArc < v1.6.0
CVE Name(s)CVE-2023-5935
CVSS Score7.3 (CVSS v4.0)
7.4 (CVSS v3.1)
CVE Risk LevelHigh (CVSS v4.0)
High (CVSS v3.1)
Risk Level for Nozomi customersMedium


When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself.


A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc's configuration. This could also lead to arbitrary code execution if a malicious update package is installed.

Affected Products

Arc < v1.6.0

Workarounds and Mitigations



Upgrade to v1.6.0 or later.

Modification History

2024-05-15: Initial revision
2024-05-20: Added CVSS v4.0 scoring where applicable

Related Links


We thank the following parties for their efforts:

  • Diego Giubertoni of Nozomi Networks Security Research team for finding this issue during an internal penetration testing session


Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.
More contact details on the PSIRT page.