CVE-2024-24578

Name of the Vulnerable Software and Affected Versions RaspberryMatic / OCCU versions prior to 3.75.6.20240316

Description RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. The issue is caused by multiple problems within the Java-based HMIPServer.jar component. This component can be accessed through URLs starting with /pages/jpages. The FirmwareController class does not perform session ID checks, allowing access without a valid session. As a result, attackers can gain remote code execution as the root user, leading to a full system compromise.

Recommendations For versions prior to 3.75.6.20240316, update to version 3.75.6.20240316 or later to resolve the issue. As a temporary workaround, consider restricting access to the /pages/jpages URL and the FirmwareController class until the update is applied. Additionally, disabling the HMIPServer.jar component can help minimize the risk of exploitation until a patch is installed.