CVE-2022-33189

Vulnerability

The iota All-In-One Security Kit (version 6.9Z) contains an OS command injection vulnerability in the setAlexa XCMD handler. The device receives XCMDs (XML payloads) via an XMPP connection or through a UDP service on port 55050 that allows unauthenticated access [1]. A specially-crafted XML payload can inject arbitrary OS commands.

Exploitation

An unauthenticated attacker can send a malicious XML payload to the iota device via the UDP service on port 55050 (or potentially via XMPP). The payload targets the setAlexa XCMD and includes injected commands. No authentication or user interaction is required; the attacker only needs network access to the device.

Impact

Successful exploitation allows arbitrary command execution with root privileges, leading to full compromise of the device. The attacker can read sensitive data, modify system configuration, or use the device as a pivot point in the network. The CVSS score is 10.0 (Critical) with impact on confidentiality, integrity, and availability.

Mitigation

As of the advisory publication (October 2022), no patch was available. The vendor (Abode Systems) was notified but no fix had been released. Users should monitor for firmware updates and restrict network access to the iota device, especially blocking UDP port 55050 from untrusted networks. The device is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date.