CRITICAL🇵🇱 Wersja polska

CVE-2024-24578

CVSS 10.0v3.1pub. 2024-03-18upd. 2025-12-23

RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. RaspberryMatic / OCCU prior to version 3.75.6.20240316 contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within the Java based `HMIPServer.jar` component. RaspberryMatric includes a Java based `HMIPServer`, that can be accessed through URLs starting with `/pages/jpages`. The `FirmwareController` class does however not perform any session id checks, thus this feature can be accessed without a valid session. Due to this issue, attackers can gain remote code execution as root user, allowing a full system compromise. Version 3.75.6.20240316 contains a patch.

🤖 AI Analysis
How it works

The vulnerability results from two related issues in the Java-based `HMIPServer.jar` component. The `FirmwareController` class, accessible via URL paths starting with `/pages/jpages`, does not perform any session identifier verification (lack of authentication control, CWE-306). Additionally, there is a path traversal vulnerability (CWE-23) that, combined with the lack of authentication, allows an attacker to remotely execute code as the root user without possessing a valid session.

Impact

An attacker gains the ability to remotely execute arbitrary code with root privileges, leading to full system compromise, including access to data, modification of configuration, and potential takeover of connected HomeMatic IoT devices.

Mitigation & patch

RaspberryMatic should be updated to version 3.75.6.20240316 or later, which contains a patch eliminating the described vulnerabilities. The patch is available in the project repository on GitHub.

Who is affected

RaspberryMatic / OCCU in all versions prior to 3.75.6.20240316

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Raspberrymatic

    OS
    Raspberrymatic
    < 3.75.6.20240316
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2022-24796CRITICAL10.0ten sam produkt

RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homema...