Security News > 2022 > June > Anker Eufy smart home hubs exposed to RCE attacks by critical flaw
Anker's central smart home device hub, Eufy Homebase 2, was vulnerable to three vulnerabilities, one of which is a critical remote code execution flaw.
Homebase 2 is the video storage and networking gateway for all Anker's Eufy smart home devices, including video doorbells, indoor security cameras, smart locks, alarm systems, and more.
Homebase operates as a central station for Eufy devices, and it connects to the cloud to provide services that enhance the functionality of those products, give users remote control via an app, etc.
The most severe of the trio, CVE-2022-21806 is a critical RCE triggered by sending a specially-crafted set of network packets to the target device.
The flaw lies in a user-after-free problem in the functionality of an internal server that Homebase uses to receive specifically formatted messages from the network, such as for device pairing, configuration, etc.
An attacker might be able to exploit this flaw to receive the video feed from connected camera devices and spy on the owners.
News URL
Related news
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- CISA warns of critical Palo Alto Networks bug exploited in attacks (source)
- New Flaws in Citrix Virtual Apps Enable RCE Attacks via MSMQ Misconfiguration (source)
- Critical bug in EoL D-Link NAS devices now exploited in attacks (source)
- CISA Flags Two Actively Exploited Palo Alto Flaws; New RCE Attack Confirmed (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-06-17 | CVE-2022-21806 | Use After Free vulnerability in Anker Eufy Homebase 2 Firmware 2.1.8.5H A use-after-free vulnerability exists in the mips_collector appsrv_server functionality of Anker Eufy Homebase 2 2.1.8.5h. | 9.8 |