Enphase IQ Gateway vulnerable to Command Injection via URL Parameter
CVE-2024-21880

8.6HIGH

Key Information:

Vendor: Enphase
Status: Envoy
Vendor: CVE Published:; 12 August 2024

What is CVE-2024-21880?

The Enphase IQ Gateway, which is integral to energy management systems, has been identified as having a vulnerability that permits OS command injection through inadequate neutralization of special elements in the URL parameter of an authenticated endpoint. This flaw could allow attackers to execute arbitrary commands on the operating system, potentially compromising system integrity and security. It is vital for users and administrators of affected versions of Envoy to apply security best practices and updates provided by Enphase to mitigate this risk.

Affected Version(s)

Envoy 7.x

Envoy 6.x

Envoy 5.x

References

https://csirt.divd.nl/CVE-2024-21880

third-party-advisory

https://csirt.divd.nl/DIVD-2024-00011

https://enphase.com/cybersecurity/advisories/ensa-2024-5

vendor-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 12, 2024
Vulnerability Reserved
Jan 2, 2024

Credit

Wietse Boonstra of DIVD

Hidde Smit of DIVD

Frank Breedijk of DIVD

Max van der Horst of DIVD

CVE-2024-21880 Data

JSON