Cybersecurity

ENSA-2023-2: OS Command Injection in Enphase IQ Gateway (Envoy) 7.0.88

Advisory ID:
ENSA-2023-2

CVSSv3:
6.3

Issue date:
2023-07-07

Updated on:
2023-07-07 (initial advisory)

CVE(s):
CVE-2023-33869

Synopsis:
Enphase IQ Gateway 7.3.130/7.6.175 addresses opportunity for command injection in IQ Gateway 7.0.88


1. Impacted product

Enphase IQ Gateway 7.0.88

2. Introduction

CISA published an advisory identifying an opportunity for command injection in IQ Gateway 7.0.88. An update is available to address this issue.

3. Summary

Description:
Enphase IQ Gateway 7.0.88 contains an opportunity for command injection that may allow an attacker to execute root commands on the host OS. CISA has evaluated the severity of this issue to be medium with a CVSSv3 base score of 6.3.

Known attack vectors:
A malicious actor may be able to perform a command injection and execute root commands on the host OS.

Resolution:
Upgrading the Enphase IQ Gateway embedded software to 7.3.130/7.6.175 or newer.

Workarounds:
None.

Additional documentation:
None.

Acknowledgments:
Enphase would like to thank the anonymous researcher “OBSWCY3F” for reporting this issue.

Notes:
None.

4. References

Enphase IQ Gateway 7.3.130/7.6.175 release notes
Mitre CVE dictionary
FIRST CVSSv3 calculator
ICS advisory

5. Change log

2023-07-07 ENSA-2023-2: Initial security advisory.

6. Contact and information

cybersecurity@enphase.com
Enphase security advisories
Enphase vulnerability reporting
Enphase documentation center