CVE-2017-9388
Description
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device firmware file contains a file known as proxy.sh which allows the device to proxy a specific request to and from from another website. This is primarily used as a method of communication between the device and Vera website when the user is logged in to the https://home.getvera.com and allows the device to communicate between the device and website. One of the parameters retrieved by this specific script is "url". This parameter is not sanitized by the script correctly and is passed in a call to "eval" to execute "curl" functionality. This allows an attacker to escape from the executed command and then execute any commands of his/her choice.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vera VeraEdge 1.7.19 and Veralite 1.7.481 contain an unauthenticated command injection via unsanitized 'url' parameter in proxy.sh, leading to arbitrary command execution.
Vulnerability
The Vera VeraEdge (firmware version 1.7.19) and Veralite (firmware version 1.7.481) devices include a web user interface that uses a script proxy.sh. This script is intended to proxy requests between the device and the Vera cloud service (https://home.getvera.com). The script accepts a url parameter without proper sanitization and passes it to eval to execute a curl command. An attacker can inject arbitrary commands by including shell metacharacters in the url parameter [1][2].
Exploitation
The attacker does not need authentication—the proxy.sh endpoint is accessible to unauthenticated network traffic. By sending a crafted HTTP request with a malicious url parameter containing command separators (e.g., ; or ` `), an attacker can break out of the intended curl` invocation and execute arbitrary operating system commands on the device. No user interaction or special privileges are required; only network access to the device's web interface is necessary [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary commands with the privileges of the web server process, typically root. This results in full compromise of the device, including the ability to read sensitive data, modify configuration, disable security features, or use the device as a pivot point for further network attacks. The CVSS score of 9.8 (Critical) reflects the unauthenticated remote code execution capability [1][2].
Mitigation
Vera has not released a public patch for these specific firmware versions (1.7.19 for VeraEdge and 1.7.481 for Veralite). Users are advised to isolate the devices on a separate VLAN or restrict network access to the web interface (e.g., do not expose it to the internet). The devices have been reported as EOL (end-of-life) by some sources, increasing the risk of no official fix. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Vera/VeraEdgedescription
- Range: = 1.7.481
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.htmlmitrex_refsource_MISC
- github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdfmitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.