CVE-2013-4864
Description
MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to send HTTP requests to intranet servers via the url parameter to cgi-bin/cmh/proxy.sh, related to a Server-Side Request Forgery (SSRF) issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MiCasaVerde VeraLite firmware 1.5.408 has an SSRF in proxy.sh allowing attackers to send HTTP requests to internal networks.
Vulnerability
The MiCasaVerde VeraLite home automation controller running firmware version 1.5.408 contains a Server-Side Request Forgery (SSRF) vulnerability in the cgi-bin/cmh/proxy.sh script. The script accepts a url parameter without proper validation, allowing an attacker to force the device to send arbitrary HTTP requests to internal or external servers. This issue is documented in multiple advisories [1][2][3].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request to the VeraLite's web interface, specifying a target URL in the url parameter. No authentication is required if the attacker has network access to the device. For example, a request to http:///cgi-bin/cmh/proxy.sh?url=http://internal-server/ would cause the VeraLite to make a request to the internal server. The attacker can also use this to scan internal networks or interact with services that are not directly accessible from the internet.
Impact
Successful exploitation allows an attacker to perform SSRF attacks, enabling them to send HTTP requests to intranet servers that are otherwise unreachable. This can lead to information disclosure, internal network reconnaissance, and potential further exploitation of internal services. The attacker can leverage the VeraLite as a proxy to attack other systems within the local network.
Mitigation
As of the available references, no official patch has been released for this vulnerability. The affected firmware version is 1.5.408. Users should consider upgrading to a newer firmware version if available, or restrict network access to the VeraLite's web interface to trusted hosts only. The device may also be placed behind a firewall to limit exposure. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- MiCasaVerde/VeraLitedescription
- Range: = 1.5.408
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in the /cgi-bin/cmh/proxy.sh script allows an attacker to specify arbitrary URLs that the server will fetch on their behalf."
Attack vector
An attacker sends a GET request to `http://A.B.C.D/cgi-bin/cmh/proxy.sh?url=https://www.trustwave.com` (or any attacker-chosen URL) [ref_id=1][ref_id=2]. The VeraLite then fetches that URL and returns the response, effectively acting as an open proxy. This allows an attacker to bypass firewall controls, scan or interact with intranet servers that would otherwise be unreachable from the external network, and use the VeraLite as a proxy for further attacks [CWE-918]. No authentication is required to access the proxy.sh script.
Affected code
The vulnerable script is `/cgi-bin/cmh/proxy.sh` on the MiCasaVerde VeraLite with firmware 1.5.408 [ref_id=1][ref_id=2]. This CGI script accepts a `url` parameter and makes HTTP requests on behalf of the user without validating the target destination.
What the fix does
No official patch is available from the vendor. The vendor responded that the open proxy behavior was a "deliberate design decision" and declined to fix it [ref_id=1][ref_id=2]. The advisory recommends limiting exposure by restricting network access to the device through access control lists and proper network segmentation [ref_id=1][ref_id=2].
Preconditions
- networkAttacker must have network access to the VeraLite device's web interface (port 80 or the port serving proxy.sh)
- authNo authentication is required to access the proxy.sh script
Reproduction
Send a GET request to the proxy.sh script with an arbitrary URL parameter: `GET http://A.B.C.D/cgi-bin/cmh/proxy.sh?url=https://www.trustwave.com` [ref_id=1][ref_id=2]. The device will fetch the target URL and return the response, confirming SSRF.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- packetstormsecurity.com/files/122654/MiCasaVerde-VeraLite-1.5.408-Traversal-Authorization-CSRF-Disclosure.htmlmitrex_refsource_MISC
- www.exploit-db.com/exploits/27286mitrex_refsource_MISC
- www3.trustwave.com/spiderlabs/advisories/TWSL2013-019.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.