Cyber Resilience

CVE-2024-27081

HighPublic PoC

Published: 26 February 2024

Published
26 February 2024
Modified
07 February 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0446 89.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-27081 is a high-severity Path Traversal (CWE-22) vulnerability in Esphome Esphome. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

ESPHome version 2023.12.9 installed via the command line contains a security misconfiguration in the edit configuration file API of its dashboard component. The flaw, tracked as CVE-2024-27081 and assigned CWE-22, permits path traversal that lets an attacker read or write arbitrary files inside the configuration directory, which in turn enables remote code execution on the host running the dashboard.

An authenticated remote attacker with access to the dashboard API can exploit the misconfiguration to upload or modify files under the configuration path. Because the dashboard runs with sufficient privileges to execute configuration changes on ESP8266/ESP32 devices, successful exploitation grants the attacker the ability to achieve arbitrary code execution on the system hosting ESPHome.

The project addressed the issue in release 2024.2.1. The accompanying GitHub security advisory GHSA-8p25-3q46-8q2p and the linked commit d814ed1d4adc71fde47c4df41215bee449884513 describe the patch that restricts file operations performed through the configuration editor API.

The associated EPSS score remains low, with a current value of 0.0446 and a peak of only 0.0535.

EU & UK References

Vulnerability details

ESPHome is a system to control your ESP8266/ESP32. A security misconfiguration in the edit configuration file API in the dashboard component of ESPHome version 2023.12.9 (command line installation) allows authenticated remote attackers to read and write arbitrary files under the…

more

configuration directory rendering remote code execution possible. This vulnerability is patched in 2024.2.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

esphome
esphome
2023.12.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References