Enphase Envoy OS Command Injection

Vulnerability

Enphase Envoy versions D7.0.88 and prior are affected by an OS command injection vulnerability (CWE-78). The flaw exists in the energy monitoring device's software, which fails to properly neutralize special elements in an OS command [1]. This allows an attacker with low-privileged access to inject arbitrary commands that are executed with root privileges.

Exploitation

An attacker needs network access to the Envoy device and valid low-privilege credentials (CVSS: PR:L). No user interaction is required. The attacker sends crafted input to the affected component, which is then processed by the operating system command interpreter. The vulnerability is remotely exploitable with low attack complexity [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands as root on the device. This can lead to full compromise of the device, including disclosure of sensitive information, modification of device configuration, or denial of service. The CVSS confidentiality, integrity, and availability impacts are all rated low [1].

Mitigation

Enphase has released fixed versions: IQ Gateway Software version 7.3.130 for Northern America and version 7.6.175 for Europe and the rest of the world. These fixes are being deployed via remote software upgrades. Users should ensure their devices are updated and follow CISA recommendations to minimize network exposure and isolate control system networks behind firewalls [1].