VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 10, 2024· Updated Mar 11, 2025

Insecure File Generation Based on User Input in Enphase IQ Gateway version 4.x to 8.x and < 8.2.4225

CVE-2024-21877

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability through a url parameter in Enphase IQ Gateway (formerly known as Envoy) allows File Manipulation. The endpoint requires authentication.This issue affects Envoy: from 4.x to 8.0 and < 8.2.4225.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Path traversal vulnerability in Enphase IQ Gateway allows file manipulation via URL parameter; authenticated attack requires exposure to public internet. Fixed in 8.2.4225.

Vulnerability

Enphase IQ Gateway (formerly Envoy) versions 4.x through 8.0 and prior to 8.2.4225 are vulnerable to a path traversal vulnerability through a URL parameter [1]. The endpoint requires authentication [1]. The vulnerability allows an attacker to manipulate files by traversing outside of the restricted directory [1].

Exploitation

An attacker must be authenticated and able to reach the gateway over the network. The attack vector is feasible if the IQ Gateway is modified to obtain a public IP address and connect to the public internet [1]. The attacker can exploit the path traversal via a crafted URL parameter [1].

Impact

Successful exploitation allows file manipulation, potentially leading to arbitrary file read/write or modification on the device [1]. The impact could compromise the integrity and confidentiality of the gateway's data.

Mitigation

Enphase has released software version 8.2.4225 to fix this vulnerability [1]. The advisory recommends upgrading to this version or later. As a workaround, ensure the IQ Gateway is not exposed to the public internet; it is not needed for typical functionality [1].

References
  1. ENSA-2024-2

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Enphase/Envoyllm-fuzzy2 versions
    >=4.0, <=8.0, <8.2.4225+ 1 more
    • (no CPE)range: >=4.0, <=8.0, <8.2.4225
    • (no CPE)range: 8.0
  • Enphase/IQ Gatewayllm-fuzzy
    Range: >=4.0, <=8.0, <8.2.4225

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.