CVE-2022-35879
Description
Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted UPnP negotiation can lead to memory corruption, information disclosure, and denial of service. An attacker can host a malicious UPnP service to trigger these vulnerabilities.This vulnerability arises from format string injection via controlURL XML tag, as used within the DoUpdateUPnPbyService action handler.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Format string injection in UPnP logging of Abode iota All-In-One Security Kit 6.9Z/6.9X allows memory corruption, info disclosure, and DoS via malicious UPnP service.
Vulnerability
Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems iota All-In-One Security Kit versions 6.9Z and 6.9X [1]. The bug resides in the DoUpdateUPnPbyService action handler, where the controlURL XML tag from a UPnP negotiation is passed directly as a format string to the device's logging function (a wrapper around vsnprintf) [1]. No authentication is required to trigger the vulnerable code path; an attacker need only respond to UPnP discovery requests from the device and supply malicious XML that includes format specifiers in the controlURL element [1].
Exploitation
An attacker must be on the same network segment as the vulnerable iota device (adjacent network) and host a malicious UPnP service [1]. When the iota device's UPnP logic attempts to update service information, it will connect to the attacker's UPnP endpoint and parse the response. If the response contains a crafted controlURL value (e.g., containing %s, %n, etc.), the format string is injected into the log function. The attacker does not need any prior authentication or filesystem access [1]. The exploitation sequence is: attacker provides a UPnP device/service advertisement with a malicious controlURL; the iota device processes it and passes the string to the format-logging function; memory corruption or information disclosure follows [1].
Impact
Successful exploitation can lead to memory corruption (arbitrary write), information disclosure (stack memory leaks via format string reads), and denial of service (crash) [1]. The CVSSv3 score is 7.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), indicating low impact to integrity but high availability impact, with no user interaction required [1]. The attacker can potentially corrupt control structures and escalate beyond the logging context, though the reference does not detail a full privilege escalation chain [1].
Mitigation
As of the publication date (2022-10-25), Abode Systems has not released a patched firmware version [1]. The vulnerable versions are 6.9X and 6.9Z; users should monitor vendor updates for a fix [1]. No workaround is documented; restricting UPnP traffic at the network boundary (e.g., blocking SSDP/UPnP traffic from untrusted networks) may reduce exposure but does not eliminate the risk if an attacker is already on the LAN [1]. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog at time of writing [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
26.9Z, 6.9X+ 1 more
- (no CPE)range: 6.9Z, 6.9X
- (no CPE)range: 6.9X
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.