CVE-2022-33207

Name of the Vulnerable Software and Affected Versions Abode Systems, Inc. iota All-In-One Security Kit versions 6.9X and 6.9Z

Description The web interface /action/wirelessConnect functionality contains OS command injection vulnerabilities. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities, focusing on the unsafe use of the default key id HTTP parameter to construct an OS command.

Recommendations For version 6.9X, consider disabling the /action/wirelessConnect functionality until a patch is available. For version 6.9Z, restrict access to the /root/hpgw binary to minimize the risk of exploitation, and avoid using the default key id parameter in the affected HTTP request until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.