Bosch [1] [2] [3] [4] [5] [6] [7], a German technology manufacturer [1], has successfully addressed a vulnerability in their smart thermostats. This vulnerability allowed attackers on the same network to replace the thermostat’s firmware with a malicious version [1], rendering it inoperable and potentially granting unauthorized access to the network.


The vulnerability specifically affected the Wi-Fi microcontroller that acts as a network gateway for the thermostat’s logic microcontroller [6]. It impacted models BCC101, BCC102 [1] [2] [3] [4] [5] [6] [7], and BCC50 [3] [6], ranging from version 4.13.20 to v4.13.33 [3] [6]. The severity of the vulnerability was rated as ‘High’ with the CVE number CVE-2023-49722.

Bitdefender [1] [3] [4] [6] [7], a cybersecurity company, discovered the vulnerability and promptly informed Bosch on August 29, 2023. Bosch responded swiftly by developing a software update to address the vulnerability. The update was released on October 12, 2023, and Bosch urged all affected users to install it to mitigate the risks. The vulnerability was publicly disclosed on January 9, 2024 [3] [6].


To enhance security and minimize future risks, it is recommended to set up a dedicated network for IoT devices [3], regularly scan for connected devices, and promptly update firmware when new versions are available. Both manufacturers and users should prioritize security measures for IoT devices [1], such as regularly updating firmware and implementing strong network security practices [1]. Bosch’s quick response to this incident demonstrates their commitment to customer security. For more detailed information about the vulnerabilities and Bosch’s response, please visit the Bosch Product Security Incident Response Team site [2].