Platform
python
Component
esphome
Fixed in
2023.12.10
2024.2.1
CVE-2024-27081 describes a Remote Code Execution (RCE) vulnerability within the ESPHome dashboard component. This flaw stems from a path traversal issue in the edit configuration file API, allowing authenticated attackers to manipulate files within the ESPHome configuration directory. The vulnerability impacts versions of ESPHome up to and including 2024.2.0b3, and a fix is available in version 2024.2.1.
An attacker exploiting CVE-2024-27081 can gain remote code execution capabilities on the ESPHome device. This is achieved by leveraging the path traversal vulnerability in the dashboard's configuration file API. By crafting malicious requests, an attacker can read and write arbitrary files within the ESPHome configuration directory. This allows for the injection of malicious code, potentially leading to complete control of the device and any connected smart home devices. The blast radius extends to any data stored or processed by the ESPHome device, including sensitive user credentials and home automation configurations. This vulnerability is particularly concerning given the increasing reliance on IoT devices in home environments.
CVE-2024-27081 was publicly disclosed on March 1, 2024. While no active exploitation campaigns have been confirmed, the ease of exploitation and the widespread use of ESPHome devices raise concerns about potential abuse. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
4.46% (89% percentile)
CVSS Vector
The primary mitigation for CVE-2024-27081 is to upgrade ESPHome to version 2024.2.1 or later. This version includes a fix that addresses the path traversal vulnerability. If an immediate upgrade is not feasible, consider restricting access to the ESPHome dashboard to trusted networks and users. Implement strong authentication mechanisms to prevent unauthorized access. While a direct WAF rule is unlikely to be effective due to the nature of the path traversal, monitoring for unusual file access patterns within the ESPHome configuration directory can provide early detection. After upgrading, verify the fix by attempting to access configuration files through the dashboard API with invalid paths; legitimate requests should be denied.
Actualice ESPHome a la versión 2024.2.1 o posterior. Esto corrige la vulnerabilidad de escritura arbitraria de archivos en el componente del panel de control. La actualización se puede realizar a través de la interfaz de línea de comandos o mediante la actualización del sistema.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-27081 is a Remote Code Execution vulnerability in the ESPHome dashboard, allowing attackers to potentially execute code on the device.
You are affected if you are using ESPHome versions 2024.2.0b3 or earlier. Upgrade to 2024.2.1 or later to mitigate the risk.
Upgrade ESPHome to version 2024.2.1 or later. This resolves the path traversal vulnerability.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation raises concerns about potential abuse.
Refer to the official ESPHome security advisory for detailed information and updates: [https://esphome.io/security.html](https://esphome.io/security.html)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.