VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 30, 2024· Updated Aug 29, 2024

CVE-2024-22894

CVE-2024-22894

Description

An issue fixed in AIT-Deutschland Alpha Innotec Heatpumps V2.88.3 or later, V3.89.0 or later, V4.81.3 or later and Novelan Heatpumps V2.88.3 or later, V3.89.0 or later, V4.81.3 or later, allows remote attackers to execute arbitrary code via the password component in the shadow file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A hardcoded 3DES-encrypted root password in Alpha Innotec and Novelan heat pump firmware allows remote attackers to gain root SSH access and execute arbitrary code.

Vulnerability

The vulnerability is a hardcoded 3DES-encrypted root password in the shadow file within the firmware of Alpha Innotec and Novelan heat pumps using the Luxtronic controller. The encrypted password is easily decrypted to 'eschi'. Affected firmware versions are those prior to V2.88.3, V3.89.0, and V4.81.3 for both brands [1].

Exploitation

An attacker with network access to the heat pump (via LAN or internet) can connect to the SSH service and log in with the root user and the decrypted password 'eschi'. The SSH service is available by default, and no prior authentication is required. The decryption of the password takes approximately 5 seconds [1].

Impact

Successful exploitation provides full root shell access to the device. An attacker can then modify settings, delete or alter configuration files, potentially causing the heat pump to malfunction or crash, leading to physical damage or denial of service [1].

Mitigation

The vulnerability is fixed in firmware versions V2.88.3, V3.89.0, V4.81.3, or later, released by AIT Deutschland. Users should update to the latest firmware. As a workaround, ensure the heat pump's SSH service is not exposed to the internet, and restrict network access to the device [1][2].

References
  1. GitHub - Jaarden/AlphaInnotec-Password-Vulnerability
  2. GitHub - Jaarden/CVE-2024-22894

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

0

No linked articles in our index yet.