CVE-2017-9384
Description
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device firmware file contains a file known as relay.sh which allows the device to create relay ports and connect the device to Vera servers. This is primarily used as a method of communication between the device and Vera servers so the devices can be communicated with even when the user is not at home. One of the parameters retrieved by this specific script is "remote_host". This parameter is not sanitized by the script correctly and is passed in a call to "eval" to execute another script where remote_host is concatenated to be passed a parameter to the second script. This allows an attacker to escape from the executed command and then execute any commands of his/her choice.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Vera VeraEdge and Veralite devices via unsanitized remote_host parameter in relay.sh allows remote attackers to execute arbitrary commands.
Vulnerability
The vulnerability resides in the relay.sh script on Vera VeraEdge firmware version 1.7.19 and Veralite firmware version 1.7.481. The script retrieves a parameter named remote_host and passes it to an eval call without proper sanitization. This allows an attacker to inject arbitrary shell commands by crafting a malicious remote_host value that escapes the intended command execution context [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request to the device's web interface, providing a remote_host parameter containing shell metacharacters. The script then executes the injected commands via eval. No authentication is required if the web interface is exposed, and the attack can also be combined with cross-site request forgery (CSRF) to trick an authenticated user into triggering the injection [2].
Impact
Successful exploitation grants the attacker arbitrary command execution with root privileges on the device. This can lead to full device compromise, including data exfiltration, installation of persistent malware, or use of the device in botnet activities [1][2].
Mitigation
As of the publication date (2019-06-17), no official firmware patch has been released to address this vulnerability. Users should isolate affected devices from untrusted networks, disable remote access if possible, or consider replacing them with supported alternatives. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Vera/VeraEdgedescription
- Range: =1.7.481
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.htmlmitrex_refsource_MISC
- github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdfmitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.