Cyber Resilience

CVE-2022-24796

CriticalRCE

Published: 31 March 2022

Published
31 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0644 91.3th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24796 is a critical-severity OS Command Injection (CWE-78) vulnerability in Raspberrymatic Raspberrymatic. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

RaspberryMatic is a free and open-source operating system for cloud-free smart-home control of HomeMatic and homematicIP IoT devices. CVE-2022-24796 is a critical remote code execution flaw in the WebUI file-upload mechanism caused by missing input validation and sanitization of shell metacharacters supplied in the HTTP query string. The vulnerability affects all releases after 2.31.25.20180428 and before 3.63.8.20220330 and carries a CVSS 3.1 score of 10.0 with CWE-78.

Unauthenticated attackers who can reach the WebUI over the network can inject operating-system commands that execute with root privileges, resulting in complete compromise of the device and all connected components. No authentication or user interaction is required, and the attack surface is exposed by default on any reachable installation.

The project’s security advisory and the fixing commit (34854659a63e9fb3ad529bb413e96978c6450a53) state that no workarounds exist and direct users to upgrade immediately to version 3.63.8.20220330 or later. The EPSS score has remained flat at 0.0644 with no material post-disclosure increase.

EU & UK References

Vulnerability details

RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT devices. A Remote Code Execution (RCE) vulnerability in the file upload facility of the WebUI interface of RaspberryMatic…

more

exists. Missing input validation/sanitization in the file upload mechanism allows remote, unauthenticated attackers with network access to the WebUI interface to achieve arbitrary operating system command execution via shell metacharacters in the HTTP query string. Injected commands are executed as root, thus leading to a full compromise of the underlying system and all its components. Versions after `2.31.25.20180428` and prior to `3.63.8.20220330` are affected. Users are advised to update to version `3.63.8.20220330` or newer. There are currently no known workarounds to mitigate the security impact and users are advised to update to the latest version available.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

raspberrymatic
raspberrymatic
2.31.25.20180428 — 3.63.8.20220330

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References