CVE-2022-24796: RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT d...

Description

RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT devices. A Remote Code Execution (RCE) vulnerability in the file upload facility of the WebUI interface of RaspberryMatic exists. Missing input validation/sanitization in the file upload mechanism allows remote, unauthenticated attackers with network access to the WebUI interface to achieve arbitrary operating system command execution via shell metacharacters in the HTTP query string. Injected commands are executed as root, thus leading to a full compromise of the underlying system and all its components. Versions after `2.31.25.20180428` and prior to `3.63.8.20220330` are affected. Users are advised to update to version `3.63.8.20220330` or newer. There are currently no known workarounds to mitigate the security impact and users are advised to update to the latest version available.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

3.52%

87.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-78

Affected Software

Vendor	Product	Versions
Raspberrymatic	Raspberrymatic	>= 2.31.25.20180428, < 3.63.8.20220330

References

https://github.com/jens-maus/RaspberryMatic/commit/34854659a63e9fb3ad529bb413e96978c6450a53Patch, Third Party Advisory
https://github.com/jens-maus/RaspberryMatic/security/advisories/GHSA-g7vv-7rmf-mff7Patch, Third Party Advisory
https://github.com/jens-maus/RaspberryMatic/commit/34854659a63e9fb3ad529bb413e96978c6450a53Patch, Third Party Advisory
https://github.com/jens-maus/RaspberryMatic/security/advisories/GHSA-g7vv-7rmf-mff7Patch, Third Party Advisory

Timeline

Published: Mar 31, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-24796?

RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT devices. A Remote Code Execution (RCE) vulnerability in the file upload facility of the WebUI interface of RaspberryMatic exists. Missing input validation/sanitization in the file upload mechanism allows remote, unauthenticated attackers with network access to the WebUI interface to achieve arbitrary operating system command execution via shell metacharacters in the HTTP query string. Injected commands are executed as root, thus leading to a full compromise of the underlying system and all its components. Versions after `2.31.25.20180428` and prior to `3.63.8.20220330` are affected. Users are advised to update to version `3.63.8.20220330` or newer. There are currently no known workarounds to mitigate the security impact and users are advised to update to the latest version available.

How severe is CVE-2022-24796?

CVE-2022-24796 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 3.52% probability of exploitation in the next 30 days.

How do I fix CVE-2022-24796?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.