CVE-2022-33192

Vulnerability

Four OS command injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. iota All-In-One Security Kit versions 6.9X and 6.9Z. The vulnerability is specifically in the unsafe use of the WL_SSID and WL_SSID_HEX configuration values in the function at offset 0x1c7d28 of firmware 6.9Z. The device receives XCMD payloads via an XMPP connection or over UDP/55050, which is exposed to unauthenticated attackers [1].

Exploitation

An attacker can send a sequence of malicious XCMD commands via UDP/55050 (or XMPP) to trigger the injection. The XCMD must contain a root node ` with a child element containing the target MAC address and a element. By crafting the WL_SSID or WL_SSID_HEX` values with OS command injection payloads, the attacker achieves arbitrary command execution. No authentication or user interaction is required [1].

Impact

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary commands on the device, leading to full compromise of confidentiality, integrity, and availability. The CVSSv3 score is 10.0, indicating critical severity with network attack vector, low attack complexity, and total system compromise [1].

Mitigation

As of the publication date (2022-10-25), no fixed version has been released. The affected versions are 6.9X and 6.9Z. Mitigation strategies include restricting network access to UDP/55050 and monitoring for vendor patches. This vulnerability is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog as of the reference date [1].