First published: Sat Aug 10 2024(Updated: )
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.This issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched.
Credit: csirt@divd.nl
Affected Software | Affected Version | How to fix |
---|---|---|
All of | ||
Enphase IQ Gateway Firmware | >=4.0<8.2.4225 | |
Enphase IQ Gateway Firmware |
Devices are remotely being updated by the vendor.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-21878 is classified as a critical severity vulnerability due to its potential for OS command injection.
To mitigate CVE-2024-21878, it is recommended to update the Enphase IQ Gateway firmware to a version later than 8.2.4225.
CVE-2024-21878 affects Enphase IQ Gateway firmware versions from 4.x up to and including 8.2.4225.
CVE-2024-21878 can be exploited for command injection attacks, enabling an attacker to execute arbitrary commands on the vulnerable system.
CVE-2024-21878 specifically affects the firmware of the Enphase IQ Gateway and not the hardware itself.