Cybersecurity

ENSA-2023-2: OS Command Injection in Enphase IQ Gateway (Envoy) 7.0.88

Advisory ID:
ENSA-2023-2

CVSSv3:
6.3

Issue date:
2023-07-07

Updated on:
2023-07-07 (initial advisory)

CVE(s):
CVE-2023-33869

Synopsis:
Enphase IQ Gateway 7.3.130/7.6.175 addresses opportunity for command injection in IQ Gateway 7.0.88

1. Impacted product

Enphase IQ Gateway 7.0.88

2. Introduction

CISA published an advisory identifying an opportunity for command injection in IQ Gateway 7.0.88. An update is available to address this issue.

3. Summary

Description:
Enphase IQ Gateway 7.0.88 contains an opportunity for command injection that may allow an attacker to execute root commands on the host OS. CISA has evaluated the severity of this issue to be medium with a CVSSv3 base score of 6.3.

Known attack vectors:
A malicious actor may be able to perform a command injection and execute root commands on the host OS.

Resolution:
Upgrading the Enphase IQ Gateway embedded software to 7.3.130/7.6.175 or newer.

Workarounds:
None.

Additional documentation:
None.

Acknowledgments:
Enphase would like to thank the anonymous researcher “OBSWCY3F” for reporting this issue.

Notes:
None.

4. References

Enphase IQ Gateway 7.3.130/7.6.175 release notes
Mitre CVE dictionary
FIRST CVSSv3 calculator
ICS advisory

5. Change log

2023-07-07 ENSA-2023-2: Initial security advisory.

6. Contact and information

cybersecurity@enphase.com
Enphase security advisories
Enphase vulnerability reporting
Enphase documentation center

Services and Frequently bought products

Loading

Installation at-home consultation

Need help with installation? Start by booking an At-home Consultation with an independent installation professional to receive a quote for your custom installation.

Confirm your installation zip code:

Please confirm your installation zip code

Confirm

Great news: Enphase’s at-home EV charger installation services are available in your area.

Unfortunately, Enphase's at-home EV charger installation services are not yet available in your area. You can click here to browse electricians with EV charger expertise.

Installation at-home consultation successfully added to cart

Are you shipping to your installation address?

Yes
No

Enter your installation address:

I have read Enphase's Privacy policy and I have read and agree to Enphase's terms and conditions.
I understand that this service is fulfilled by an independent professional utilizing the Enphase O&M Marketplace’s 365 Pronto platform. I confirm that I have reviewed and accept the 365 Pronto Customer Platform Services Agreement.

The zip code entered above does not match the entered address.

Price : $

?

Add

The At-home Consultation helps determine the full cost to install your new EV charger. The $150 fee is subtracted from your final installation price if you choose to accept the quote. After check out, Enphase will send you an email from its 365 Pronto Platform describing next steps.

Know more

What is included in this price?

The At-home Consultation includes a report detailing your EV readiness, and a custom, no-obligation quote for your EV charger installation. This $150 fee is subtracted from your final installation price if you choose to accept the quote.

What are the next steps?

After you check out, Enphase will send you a confirmation email from the 365 Pronto Platform, and your installation professional will directly contact you to schedule a time for your At-home Consultation.

What is the 365 Pronto Platform?

Enphase's 365 Pronto Platform is software that dispatches independent professionals to perform renewable energy services, including EV charger installations.

How will I be charged for these services?

The charge for your At-home Consultation will be processed through Enphase's Store. If you choose to accept your installation quote, you will pay for the installation separately via the 365 Pronto Platform.

Show less

Loading