CVE-2024-21881

Summary

Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects Envoy: 4.x and 5.x

Affected Software

VendorProductVersion RangeStatus
EnphaseEnvoy5.xaffected
EnphaseEnvoy4.xaffected

Weaknesses

  • CWE-326: CWE-326 Inadequate Encryption Strength

Workarounds

It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References