Unrated severityNVD Advisory· Published Oct 25, 2022· Updated Apr 15, 2025

CVE-2022-33207

Description

Four OS command injection vulnerabilities exists in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability focuses on a second unsafe use of the default_key_id HTTP parameter to construct an OS Command at offset 0x19B234 of the /root/hpgw binary included in firmware 6.9Z.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated OS command injection in Abode iota gateway's wirelessConnect endpoint via unsafe use of `default_key_id` parameter.

Vulnerability

The iota All-In-One Security Kit (firmware versions 6.9X and 6.9Z) contains an OS command injection vulnerability in the web interface's /action/wirelessConnect functionality. The flaw is a second unsafe use of the default_key_id HTTP parameter at offset 0x19B234 of the /root/hpgw binary, allowing an authenticated attacker to inject arbitrary OS commands. The endpoint is part of the device's local web interface that handles wireless network configuration. The vulnerability stems from improper neutralization of special elements used in an OS command (CWE-78). [1]

Exploitation

An attacker with authenticated network access to the iota gateway's local web interface can send a specially-crafted HTTP request to /action/wirelessConnect with a malicious default_key_id parameter. No user interaction beyond authentication is required. The parameter is unsafely incorporated into an OS command executed by the device, resulting in arbitrary command execution. The attack does not require physical access and can be performed remotely over the network. [1]

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary OS commands on the device with root privileges. This can lead to full compromise of the gateway, including disclosure of sensitive data, manipulation of security settings, disabling of alarms, surveillance via the onboard camera, or lateral movement to other devices on the LAN. The CVSSv3 score for this vulnerability is 10.0, reflecting critical impact on confidentiality, integrity, and availability. [1]

Mitigation

Abode Systems released firmware version 6.9X on December 15, 2021 as a patch for the related CVE-2020-8105. However, the present vulnerability (CVE-2022-33207) affects the same endpoint and was not fully remedied in that patch; firmware version 6.9Z is also confirmed vulnerable. As of the publication date (October 25, 2022), no specific patch addressing this exact injection point has been confirmed in the available references. Operators should monitor vendor advisories for an updated firmware release. If the web interface is not required, disabling it may reduce exposure. [1]

References

TALOS-2022-1568 || Cisco Talos Intelligence Group

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Abode Systems, Inc./iota All-In-One Security Kitllm-fuzzy2 versions
6.9X, 6.9Z+ 1 more
- (no CPE)range: 6.9X, 6.9Z
- (no CPE)range: 6.9X

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

talosintelligence.com/vulnerability_reports/TALOS-2022-1568mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.004
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000