CVE-2022-33195

Summary

Four OS command injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A XCMD can lead to arbitrary command execution. An attacker can send a sequence of malicious commands to trigger these vulnerabilities.This vulnerability focuses on the unsafe use of the WL_DefaultKeyID in the function located at offset 0x1c7d28 of firmware 6.9Z, and even more specifically on the command execution occuring at offset 0x1c7fac.

Affected Software

VendorProductVersion RangeStatus
abode systems, inc.iota All-In-One Security Kit6.9Xaffected
abode systems, inc.iota All-In-One Security Kit6.9Zaffected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References