2023-07-07 (initial advisory)
Enphase IQ Gateway 7.3.130/7.6.175 addresses opportunity for command injection in IQ Gateway 7.0.88
1. Impacted product
Enphase IQ Gateway 7.0.88
CISA published an advisory identifying an opportunity for command injection in IQ Gateway 7.0.88. An update is available to address this issue.
Enphase IQ Gateway 7.0.88 contains an opportunity for command injection that may allow an attacker to execute root commands on the host OS. CISA has evaluated the severity of this issue to be medium with a CVSSv3 base score of 6.3.
Known attack vectors:
A malicious actor may be able to perform a command injection and execute root commands on the host OS.
Upgrading the Enphase IQ Gateway embedded software to 7.3.130/7.6.175 or newer.
Enphase would like to thank the anonymous researcher “OBSWCY3F” for reporting this issue.
5. Change log
2023-07-07 ENSA-2023-2: Initial security advisory.