Security News > 2023 > May > Serious Unpatched Vulnerability Uncovered in Popular Belkin Wemo Smart Plugs
The second generation version of Belkin's Wemo Mini Smart Plug has been found to contain a buffer overflow vulnerability that could be weaponized by a threat actor to inject arbitrary commands remotely.
The issue, assigned the identifier CVE-2023-27217, was discovered and reported to Belkin on January 9, 2023, by Israeli IoT security company Sternum, which reverse-engineered the device and gained firmware access.
Wemo Mini Smart Plug V2 offers convenient remote control, allowing users to turn electronic devices on or off using a companion app installed on a smartphone or tablet.
The heart of the problem lies in a feature that makes it possible to rename the smart plug to a more "FriendlyName." The default name assigned is "Wemo mini 6E9.".
As a result, circumventing the character limit by using a Python module named pyWeMo can lead to a buffer overflow condition, which can then be reliably exploited to crash the device or trick the code into running malicious commands and take over control.
In the absence of a fix, users of Wemo Mini Smart Plug V2 are recommended to avoid exposing them directly to the internet and ensure that appropriate segmentation measures are implemented if they have been deployed in sensitive networks.
News URL
https://thehackernews.com/2023/05/serious-unpatched-vulnerability.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-18 | CVE-2023-27217 | Out-of-bounds Write vulnerability in Belkin F7C063 Firmware 2.00.11420.Owrt.Pvtsnsv2 A stack-based buffer overflow in the ChangeFriendlyName() function of Belkin Smart Outlet V2 F7c063 firmware_2.00.11420.OWRT.PVT_SNSV2 allows attackers to cause a Denial of Service (DoS) via a crafted UPNP request. | 9.8 |