Advisory ID:
ENSA-2023-2
CVSSv3:
6.3
Issue date:
2023-07-07
Updated on:
2023-07-07 (initial advisory)
CVE(s):
CVE-2023-33869
Synopsis:
Enphase IQ Gateway 7.3.130/7.6.175 addresses opportunity for command injection in IQ Gateway 7.0.88
1. Impacted product
Enphase IQ Gateway 7.0.88
2. Introduction
CISA published an advisory identifying an opportunity for command injection in IQ Gateway 7.0.88. An update is available to address this issue.
3. Summary
Description:
Enphase IQ Gateway 7.0.88 contains an opportunity for command injection that may allow an attacker to execute root commands on the host OS. CISA has evaluated the severity of this issue to be medium with a CVSSv3 base score of 6.3.
Known attack vectors:
A malicious actor may be able to perform a command injection and execute root commands on the host OS.
Resolution:
Upgrading the Enphase IQ Gateway embedded software to 7.3.130/7.6.175 or newer.
Workarounds:
None.
Additional documentation:
None.
Acknowledgments:
Enphase would like to thank the anonymous researcher “OBSWCY3F” for reporting this issue.
Notes:
None.
4. References
Enphase IQ Gateway 7.3.130/7.6.175 release notes
Mitre CVE dictionary
FIRST CVSSv3 calculator
ICS advisory
5. Change log
2023-07-07 ENSA-2023-2: Initial security advisory.
6. Contact and information
cybersecurity@enphase.com
Enphase security advisories
Enphase vulnerability reporting
Enphase documentation center