CVE-2022-32586

Vulnerability

An OS command injection vulnerability exists in the /action/ipcamRecordPost endpoint of the local web interface on Abode Systems, Inc. iota All-In-One Security Kit versions 6.9X and 6.9Z [1]. The web server is disabled by default but can be enabled via other vulnerabilities (e.g., TALOS-2022-1552 or TALOS-2022-1553). The function handling the request, located at offset 0x1BC91C in the /root/hpgw binary, fails to properly neutralize special elements in user-supplied input, allowing injection of arbitrary OS commands [1].

Exploitation

An attacker must first obtain authenticated access to the local web interface and ensure the web server is enabled. The attacker then sends a specially-crafted HTTP POST request to /action/ipcamRecordPost containing malicious input that is injected into an OS command. No additional user interaction is required beyond the initial authentication [1].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary OS commands with root privileges on the iota device. This results in full compromise of confidentiality, integrity, and availability: the attacker can read sensitive data, modify device configuration, or leverage the device for further network attacks [1].

Mitigation

As of the publication date (2022-10-25), no official fix has been released by the vendor [1]. The web server is disabled by default, which significantly reduces the attack surface. Users should ensure the web server remains disabled unless absolutely necessary. No workaround is available beyond disabling the web interface. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.