CVE-2022-33205

Name of the Vulnerable Software and Affected Versions Abode Systems, Inc. iota All-In-One Security Kit versions 6.9X through 6.9Z

Description The web interface /action/wirelessConnect functionality contains OS command injection vulnerabilities. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities, focusing on the unsafe use of the wpapsk hex HTTP parameter to construct an OS Command at offset 0x19b0ac of the /root/hpgw binary.

Recommendations For versions 6.9X through 6.9Z, consider disabling the /action/wirelessConnect functionality until a patch is available. Restrict access to the /root/hpgw binary to minimize the risk of exploitation. Avoid using the wpapsk hex parameter in the affected API endpoint until the issue is resolved.