URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway v4.x to v8.x and < v8.2.4225

Vulnerability

The Enphase IQ Gateway (formerly Envoy) contains an OS command injection vulnerability in an authenticated endpoint via a URL parameter. The software fails to properly neutralize special elements used in a command, allowing an attacker to inject arbitrary operating system commands. This affects IQ Gateway versions 4.x through 8.2.4224 (inclusive), as well as versions 8.x prior to 8.2.4225. The vulnerability is exploitable only when the gateway is modified to obtain a public IP address and is connected to the public internet [1].

Exploitation

An attacker must have valid credentials to access the authenticated endpoint on the IQ Gateway. Additionally, the gateway must be configured with a public IP address and be reachable from the internet. The attacker sends a crafted HTTP request to the vulnerable URL parameter containing a command injection payload. No user interaction is required beyond the initial authentication [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands on the IQ Gateway with the privileges of the web server process. This can lead to full compromise of the device, including data exfiltration, installation of malware, or use of the gateway as a pivot point for further attacks on the local network [1].

Mitigation

Enphase has released IQ Gateway embedded software version 8.2.4225 which fixes the vulnerability. Users should upgrade to this version or later. As a workaround, ensure that the IQ Gateway is not exposed to the public internet; it should be placed behind a router and not assigned a public IP address, as this is not required for normal operation [1].