Command Injection through Unsafe File Name Evaluation in internal script in Enphase IQ Gateway v4.x to and including 8.x

Vulnerability

A command injection vulnerability exists in an internal script of the Enphase IQ Gateway (formerly Envoy) [1]. The software fails to properly neutralize special elements in a command, allowing OS command injection [1]. Affected versions are IQ Gateway 4.x through 8.2.4224 [1]. The vulnerability is exploitable when the IQ Gateway is modified to obtain a public IP address and connect to the public internet [1].

Exploitation

To exploit the vulnerability, the IQ Gateway must be configured with a public IP address and be accessible from the public internet [1]. An attacker with network access to the device can send crafted input that leads to command injection in an internal script [1]. No authentication is required for exploitation once the device is exposed.

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands on the IQ Gateway [1]. This results in full compromise of the device, including potential data disclosure, modification, and disruption of gateway operations.

Mitigation

Enphase has released software version 8.2.4225 which fixes the vulnerability [1]. Users should upgrade to this version or later. As a workaround, ensure the IQ Gateway is not exposed to the public internet; a typical solution is to place it behind a router [1]. The device does not need direct internet access for normal functionality.