Unrated severityNVD Advisory· Published Oct 25, 2022· Updated Apr 15, 2025

CVE-2022-32773

Description

An OS command injection vulnerability exists in the XCMD doDebug functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted XCMD can lead to arbitrary command execution. An attacker can send a malicious XML payload to trigger this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OS command injection in Abode iota security kit allows remote unauthenticated attackers to execute arbitrary commands via a crafted XCMD XML payload.

Vulnerability

The iota All-In-One Security Kit (6.9X and 6.9Z) contains an OS command injection vulnerability in the XCMD doDebug functionality. The device receives command and control messages (XCMDs) via an XMPP connection, and additionally a service on UDP/55050 allows unauthenticated access to execute XCMDs. A specially-crafted XML payload can inject OS commands. [1]

Exploitation

An attacker can exploit this vulnerability without authentication by sending a malicious XCMD XML payload to the iota device's UDP/55050 service. No user interaction is required. The attacker must have network access to the device. [1]

Impact

Successful exploitation leads to arbitrary command execution with high privileges, potentially allowing full compromise of the device and lateral movement. The CVSSv3 score is 10.0, indicating critical impact on confidentiality, integrity, and availability. [1]

Mitigation

As of the publication date (2022-10-25), no patched version has been released. Abode Systems has not confirmed a fix. Users should restrict network access to the iota device, monitor for updates, or contact the vendor for guidance. [1]

References

TALOS-2022-1556 || Cisco Talos Intelligence Group

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Abode Systems, Inc./iota All-In-One Security Kitllm-fuzzy2 versions
6.9X and 6.9Z+ 1 more
- (no CPE)range: 6.9X and 6.9Z
- (no CPE)range: 6.9X

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

talosintelligence.com/vulnerability_reports/TALOS-2022-1556mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.004
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000