CVE-2022-33206

Summary

Four OS command injection vulnerabilities exists in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability focuses on the unsafe use of the key and default_key_id HTTP parameters to construct an OS Command crafted at offset 0x19b1f4 of the /root/hpgw binary included in firmware 6.9Z.

Affected Software

VendorProductVersion RangeStatus
abode systems, inc.iota All-In-One Security Kit6.9Xaffected
abode systems, inc.iota All-In-One Security Kit6.9Zaffected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References