H0Ng10

**Name of the Vulnerable Software and Affected Versions** RaspberryMatic / OCCU versions prior to 3.75.6.20240316 **Description** RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. The issue is caused by multiple problems within the Java-based `HMIPServer.jar` component. This component can be accessed through URLs starting with `/pages/jpages`. The `FirmwareController` class does not perform session ID checks, allowing access without a valid session. As a result, attackers can gain remote code execution as the root user, leading to a full system compromise. **Recommendations** For versions prior to 3.75.6.20240316, update to version 3.75.6.20240316 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/pages/jpages` URL and the `FirmwareController` class until the update is applied. Additionally, disabling the `HMIPServer.jar` component can help minimize the risk of exploitation until a patch is installed.