CVE-2024-21880

URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway version 4.x <= 7.x

Description

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability via the url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Enphase) allows OS Command Injection.This issue affects Envoy: 4.x <= 7.x

Remediation

Solution:

Devices are remotely being updated by the vendor.

Workaround:

It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network.

References

Link	Tags
https://csirt.divd.nl/CVE-2024-21880	third party advisory
https://csirt.divd.nl/DIVD-2024-00011	related third party advisory
https://enphase.com/cybersecurity/advisories/ensa-2024-5	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2024-21880?: CVE-2024-21880 has been scored as a high severity vulnerability.
How to fix CVE-2024-21880?: To fix CVE-2024-21880: Devices are remotely being updated by the vendor.
Is CVE-2024-21880 being actively exploited in the wild?: It is possible that CVE-2024-21880 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-21880?: CVE-2024-21880 affects Enphase Envoy.

Description

Remediation

Categories

CWE-77 – Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78 – Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

References

Frequently Asked Questions