CVE-2017-9389
Description
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device allows a user to install applications written in the Lua programming language. Also the interface allows any user to write his/her application in the Lua language. However, this functionality is not protected by authentication and this allows an attacker to run arbitrary Lua code on the device. The POST request is forwarded to LuaUPNP daemon on the device. This binary handles the received Lua code in the function "LU::JobHandler_LuaUPnP::RunLua(LU::JobHandler_LuaUPnP *__hidden this, LU::UPnPActionWrapper *)". The value in the "code" parameter is then passed to the function "LU::LuaInterface::RunCode(char const*)" which actually loads the Lua engine and runs the code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated remote code execution via Lua scripting interface on VeraEdge and Veralite routers.
Vulnerability
The VeraEdge firmware version 1.7.19 and Veralite firmware version 1.7.481 expose a web user interface that allows installing and executing Lua applications. The interface sends a POST request to the LuaUPNP daemon, which processes the Lua code in the code parameter via the function LU::LuaInterface::RunCode. This functionality is not protected by authentication, allowing arbitrary Lua code execution [1][2].
Exploitation
An attacker requires network access to the device (either local or Internet-facing if port forwarding is enabled). No authentication is needed. The attacker sends a crafted POST request containing malicious Lua code in the code parameter to the LuaUPNP endpoint. The daemon then executes the code without any checks [1].
Impact
Successful exploitation allows remote attackers to execute arbitrary Lua code with the privileges of the LuaUPNP daemon, which typically runs as root. This can lead to full device compromise, including data theft, configuration modification, or denial of service [1][2].
Mitigation
As of the publication date, no official patch was available. Users are advised to restrict network access to the device (e.g., disable remote administration, block ports used by Vera) and monitor vendor updates. The devices may be end-of-life; consider replacing them if security is critical [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Vera/VeraEdge/Veralitedescription
- Range: = 1.7.481
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.htmlmitrex_refsource_MISC
- github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdfmitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.