Advisory ID:
ENSA-2023-2
CVSSv3:
6.3
Issue date:
2023-07-07
Updated on:
2023-07-07 (initial advisory)
CVE(s):
CVE-2023-33869
Synopsis:
ţţ㷨 IQ Gateway 7.3.130/7.6.175 addresses opportunity for command injection in IQ Gateway 7.0.88
1. Impacted product
ţţ㷨 IQ Gateway 7.0.88
2. Introduction
CISA published an advisory identifying an opportunity for command injection in IQ Gateway 7.0.88. An update is available to address this issue.
3. Summary
Description:
ţţ㷨 IQ Gateway 7.0.88 contains an opportunity for command injection that may allow an attacker to execute root commands on the host OS. CISA has evaluated the severity of this issue to be medium with a CVSSv3 base score of 6.3.
Known attack vectors:
A malicious actor may be able to perform a command injection and execute root commands on the host OS.
Resolution:
Upgrading the ţţ㷨 IQ Gateway embedded software to 7.3.130/7.6.175 or newer.
Workarounds:
None.
Additional documentation:
None.
Acknowledgments:
ţţ㷨 would like to thank the anonymous researcher “OBSWCY3F” for reporting this issue.
Notes:
None.
4. References
ţţ㷨 IQ Gateway 7.3.130/7.6.175 release notes
5. Change log
2023-07-07 ENSA-2023-2: Initial security advisory.
6. Contact and information
cybersecurity@enphase.com
ţţ㷨 security advisories
ţţ㷨 vulnerability reporting
ţţ㷨 documentation center