CVE-2022-29520

Vulnerability

An OS command injection vulnerability exists in the console_main_loop :sys functionality of Abode Systems, Inc. iota All-In-One Security Kit version 6.9Z. The device receives command and control messages (XCMDs) via XMPP or an unauthenticated UDP service on port 55050. A specially-crafted XML payload can trigger arbitrary command execution. [1]

Exploitation

An attacker can send a crafted XML payload containing a malicious XCMD to the iota device without authentication, either over the local network via UDP/55050 or potentially over XMPP. No user interaction or special privileges are required. The vulnerability is reachable by sending a specially-crafted XCMD that exploits the console_main_loop :sys functionality. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the affected process, leading to full compromise of confidentiality, integrity, and availability of the device. [1]

Mitigation

Not yet disclosed in the available references. Abode Systems has not released a patched version as of the advisory publication date. Users should monitor for updates from the vendor. [1]