CVE-2022-24796
Published: 31 March 2022
Summary
CVE-2022-24796 is a critical-severity OS Command Injection (CWE-78) vulnerability in Raspberrymatic Raspberrymatic. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
RaspberryMatic is a free and open-source operating system for cloud-free smart-home control of HomeMatic and homematicIP IoT devices. CVE-2022-24796 is a critical remote code execution flaw in the WebUI file-upload mechanism caused by missing input validation and sanitization of shell metacharacters supplied in the HTTP query string. The vulnerability affects all releases after 2.31.25.20180428 and before 3.63.8.20220330 and carries a CVSS 3.1 score of 10.0 with CWE-78.
Unauthenticated attackers who can reach the WebUI over the network can inject operating-system commands that execute with root privileges, resulting in complete compromise of the device and all connected components. No authentication or user interaction is required, and the attack surface is exposed by default on any reachable installation.
The project’s security advisory and the fixing commit (34854659a63e9fb3ad529bb413e96978c6450a53) state that no workarounds exist and direct users to upgrade immediately to version 3.63.8.20220330 or later. The EPSS score has remained flat at 0.0644 with no material post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29602
Vulnerability details
RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT devices. A Remote Code Execution (RCE) vulnerability in the file upload facility of the WebUI interface of RaspberryMatic…
more
exists. Missing input validation/sanitization in the file upload mechanism allows remote, unauthenticated attackers with network access to the WebUI interface to achieve arbitrary operating system command execution via shell metacharacters in the HTTP query string. Injected commands are executed as root, thus leading to a full compromise of the underlying system and all its components. Versions after `2.31.25.20180428` and prior to `3.63.8.20220330` are affected. Users are advised to update to version `3.63.8.20220330` or newer. There are currently no known workarounds to mitigate the security impact and users are advised to update to the latest version available.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.