CVE-2022-33206

Name of the Vulnerable Software and Affected Versions Abode Systems, Inc. iota All-In-One Security Kit versions 6.9X and 6.9Z

Description The web interface of the affected system has OS command injection vulnerabilities in the /action/wirelessConnect functionality. An attacker can send a specially-crafted HTTP request to execute arbitrary commands. The issue arises from the unsafe use of the key and default key id HTTP parameters. This can lead to the construction of an OS command at a specific offset in the /root/hpgw binary included in the firmware.

Recommendations For version 6.9X, consider restricting access to the /action/wirelessConnect functionality until a patch is available. For version 6.9Z, avoid using the key and default key id parameters in the affected HTTP request until the issue is resolved. As a temporary workaround, consider disabling the /action/wirelessConnect functionality to prevent exploitation.