CVE-2020-25755

Vulnerability

The vulnerability exists in the upgrade_start function located at /installer/upgrade_start on Enphase Envoy R3.x, D4.x, and other current devices [1]. An authenticated remote user can execute arbitrary commands by passing a crafted force parameter to this endpoint. The issue arises from insufficient sanitization of user input within the upgrade process, allowing injection of system commands.

Exploitation

To exploit, an attacker must have valid credentials for the Envoy's installer interface. No special network position is required beyond reachability of the device. The attacker sends an HTTP request to /installer/upgrade_start with a malicious force parameter containing shell metacharacters. For example, appending ; command to the parameter value executes the injected command on the device's operating system.

Impact

Successful exploitation allows arbitrary command execution with the privileges of the web server process, typically root. This results in full compromise of the Envoy device, enabling an attacker to manipulate energy monitoring data, disable over-the-air updates, install persistent backdoors, or pivot to other devices on the local network. The attack compromises confidentiality, integrity, and availability of the affected system.

Mitigation

No official fix or workaround is disclosed in the available references. Users are advised to restrict network access to the Envoy's installer interface, use strong authentication credentials, and monitor for unauthorized access. Enphase has not announced a patched firmware version as of the publication date (2021-06-16).