URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway version 4.x <= 7.x

Vulnerability

An improper neutralization of special elements used in a command ('Command Injection') vulnerability exists in the url parameter of an authenticated endpoint in Enphase IQ Gateway (formerly Envoy) versions 4.x through 7.x [1]. The vulnerability is exploitable when the IQ Gateway is modified to obtain a public IP address and connect to the public internet [1].

Exploitation

An attacker must first obtain valid authentication credentials for the IQ Gateway. With authenticated access, the attacker can inject arbitrary OS commands via the url parameter. The attack vector requires that the IQ Gateway is configured with a public IP address and is reachable from the public internet [1].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands on the IQ Gateway device. This can lead to full compromise of the device, including data exfiltration, further network attacks, or disruption of solar monitoring services [1].

Mitigation

Enphase has released a fix in IQ Gateway embedded software version 8.2.4225 or newer [1]. Users should upgrade to this version immediately. As a workaround, ensure the IQ Gateway is not exposed to the public internet; typical configurations use a router to keep the device on a local network [1]. No known exploitation in the wild has been reported as of the advisory date.