CVE-2013-4863
Description
The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 allows (1) remote attackers to execute arbitrary Lua code via a RunLua action in a request to upnp/control/hag on port 49451 or (2) remote authenticated users to execute arbitrary Lua code via a RunLua action in a request to port_49451/upnp/control/hag.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MiCasaVerde VeraLite firmware 1.5.408 allows unauthenticated remote attackers to execute arbitrary Lua code via the HomeAutomationGateway service.
Vulnerability
The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 contains a vulnerability that allows arbitrary Lua code execution. The service listens on port 49451 and exposes a UPnP control endpoint at /upnp/control/hag. By sending a RunLua action in a SOAP request, an attacker can inject and execute arbitrary Lua code on the device. This affects both unauthenticated remote attackers and remote authenticated users (the latter via a slightly different path, port_49451/upnp/control/hag). [1][2]
Exploitation
An unauthenticated attacker with network access to the VeraLite (or reachable via the Internet-based control panel at cp.mios.com if the device is configured for remote access) can send a crafted HTTP request to the UPnP endpoint. The request must include a RunLua action with the malicious Lua code as a parameter. No prior authentication is required for the unauthenticated vector; for the authenticated vector, the attacker must have valid credentials (admin or guest). The attack does not require user interaction or any special timing. [1][2]
Impact
Successful exploitation allows the attacker to execute arbitrary Lua code with the privileges of the HomeAutomationGateway service, which runs with root-level permissions on the device. This leads to full compromise of the VeraLite, including the ability to read or modify any file, install malware, control home automation devices, and pivot to other systems on the local network. The confidentiality, integrity, and availability of the device and its managed systems are completely undermined. [1][2]
Mitigation
As of the advisory publication (August 2013), no official patch or firmware update was released by MiCasaVerde to address this vulnerability. The VeraLite model is likely end-of-life and no longer supported. Users should isolate the device on a separate network segment, restrict access to port 49451 via firewall rules, and disable remote access if not strictly necessary. No workaround is available that fully eliminates the risk. [1][2]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- MiCasaVerde/VeraLitedescription
- Range: =1.5.408
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authentication check on the RunLua SOAP action in the HomeAutomationGateway UPnP service allows unauthenticated remote Lua code execution as root."
Attack vector
An attacker on the local network sends a SOAP POST request to `http://A.B.C.D:49451/upnp/control/hag` with a SOAPACTION header of `"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua"` and an XML body containing a `
Affected code
The HomeAutomationGateway (HAG) UPnP service on the VeraLite exposes the RunLua action via the endpoint `/upnp/control/hag` on TCP port 49451 [ref_id=1][ref_id=2]. No authentication check is performed before executing the supplied Lua code [ref_id=1][ref_id=2].
What the fix does
No patch is provided in the bundle. The vendor response characterized the lack of authentication as a "deliberate design decision" because retail customers wanted open access [ref_id=2]. The advisory recommends that the vendor implement proper authentication checks on the RunLua action to prevent unauthenticated remote code execution [ref_id=1][ref_id=2].
Preconditions
- networkAttacker must have network access to TCP port 49451 on the VeraLite device (LAN access).
- authNo authentication or session is required; the service accepts the SOAP request without any credential check.
Reproduction
Send the following POST request to port 49451 of the target VeraLite (replace A.B.C.D with the device's IP):
``` POST /upnp/control/hag HTTP/1.1 Host: A.B.C.D:49451 Content-Type: text/xml;charset=UTF-8 SOAPACTION: "urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua" Content-Length: 311
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- packetstormsecurity.com/files/122654/MiCasaVerde-VeraLite-1.5.408-Traversal-Authorization-CSRF-Disclosure.htmlmitrex_refsource_MISC
- www.exploit-db.com/exploits/27286mitrex_refsource_MISC
- www3.trustwave.com/spiderlabs/advisories/TWSL2013-019.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.