CVE-2018-3832

Name of the Vulnerable Software and Affected Versions Insteon Hub version 1013

Description An exploitable firmware update issue exists in the Insteon Hub. The HTTP server allows uploading arbitrary MPFS binaries, which can be modified to access hidden resources for uploading unsigned firmware images. To exploit this, an attacker can upload an MPFS binary via the "/mpfsupload" HTTP form, then upload firmware via a POST request to "firmware.htm".

Recommendations For Insteon Hub version 1013, as a temporary workaround, consider disabling access to the "/mpfsupload" HTTP form and restricting POST requests to "firmware.htm" until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.