cbcvebase.
CVE-2013-4863
published 2020-01-28

CVE-2013-4863: The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 allows (1) remote attackers to execute arbitrary Lua code via a RunLua action…

PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
12.18%
95.6th percentile
The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 allows (1) remote attackers to execute arbitrary Lua code via a RunLua action in a request to upnp/control/hag on port 49451 or (2) remote authenticated users to execute arbitrary Lua code via a RunLua action in a request to port_49451/upnp/control/hag.

Affected

1 ranges
VendorProductVersion rangeFixed in
micasaverdeveralite_firmware

Detection & IOCsextracted from sources · hover to see the quote

port49451
path/upnp/control/hag
path/port_49451/upnp/control/hag
otherSOAPACTION: "urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua"
commandos.execute("echo 'backdoor%3a%3a0%3a0%3aBackdoor Root Account%3a/tmp%3a/bin/ash' %3e%3e /etc/passwd")
path/tmp/a
path/z3n.html
  • Detect unauthenticated RunLua SOAP action requests to port 49451 on path /upnp/control/hag — the core unauthenticated RCE vector for CVE-2013-4863
  • Alert on HTTP POST requests containing the SOAPACTION header value 'urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua' targeting port 49451
  • Detect reverse shell patterns in Lua code payloads: mkfifo combined with nc (netcat) piped through /bin/sh, delivered via SOAP RunLua action
  • Use Nessus plugin 93911 to actively test for the VeraLite UPnP RunLua vulnerability
  • ·The exploit chain combining CVE-2013-4863 with CVE-2016-6255 (arbitrary file write in libupnp 1.6.6) enables WAN-side exploitation via a crafted webpage visited by a LAN user, extending the attack surface beyond the local network
  • ·The authenticated variant of the vulnerability uses the path /port_49451/upnp/control/hag (proxied through the web interface), while the unauthenticated variant targets port 49451 directly at /upnp/control/hag

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.