CVE-2022-30603

Vulnerability

The Abode Systems iota All-In-One Security Kit versions 6.9X and 6.9Z contain an OS command injection vulnerability in the web interface endpoint /action/iperf. The endpoint does not properly sanitize user-supplied input before passing it to an operating system command, allowing an attacker to inject arbitrary commands. The web interface is disabled by default but can be enabled via other vulnerabilities (TALOS-2022-1552, TALOS-2022-1553) [1].

Exploitation

An attacker must first gain authenticated access to the local web interface. The web interface is not enabled by default; however, an attacker could leverage separate vulnerabilities (TALOS-2022-1552 or TALOS-2022-1553) to enable the web server and obtain credentials. Once authenticated, the attacker sends a specially crafted HTTP POST request to /action/iperf containing malicious command injection payloads. No additional user interaction is required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands with the privileges of the web server process. This can lead to full compromise of the iota device, including disclosure of sensitive information, modification of system configuration, and potential lateral movement within the local network. The CVSSv3 score is 10.0, indicating critical severity [1].

Mitigation

As of the publication date, no official patch has been released by Abode Systems. The vendor has confirmed the vulnerability in versions 6.9X and 6.9Z. Users should ensure the web interface remains disabled if not needed, restrict network access to the device, and monitor for firmware updates. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].