Sonos Era 100 Smart Speaker Remote Code Execution Vulnerability
CVE-2024-5269

8.8HIGH

Key Information:

Vendor: Sonos
Status: Era 100
Vendor: CVE Published:; 6 June 2024

Summary

The vulnerability in the Sonos Era 100 smart speakers emerges from improper handling of SMB2 messages, allowing network-adjacent attackers to execute arbitrary code. This lack of validation for the existence of an object before operations can be exploited without requiring authentication. Successful exploitation could lead to code execution in the context of root, highlighting a significant risk for users of affected devices.

Affected Version(s)

Era 100 15.9 (build 75146030)

References

https://www.zerodayinitiative.com/advisories/ZDI-24-545/

x_research-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
May 23, 2024