CVE-2018-15723
published 2018-12-20CVE-2018-15723: The Logitech Harmony Hub before version 4.15.206 is vulnerable to application level command injection via crafted HTTP request. An unauthenticated remote…
PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.70%
88.4th percentile
The Logitech Harmony Hub before version 4.15.206 is vulnerable to application level command injection via crafted HTTP request. An unauthenticated remote attacker can leverage this vulnerability to execute application defined commands (e.g. harmony.system?systeminfo).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| logitech | harmony_hub_firmware | < 4.15.206 | 4.15.206 |
| logitech | logitech_harmony_hub | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl -d "{\"cmd\":\"harmony.system?systeminfo\"}" -H "Origin: .myharmony.com" -H "Content-Type: application/json" "http://192.168.0.176:8088"↗
- →Detect HTTP POST requests to port 8088 on Logitech Harmony Hub devices that contain a forged/attacker-controlled 'Origin' header matching '*.myharmony.com' combined with a JSON body containing a 'cmd' key — this is the exploit delivery mechanism for CVE-2018-15723. ↗
- →Alert on HTTP requests to Harmony Hub (port 8088) where the Origin header value ends in '.myharmony.com' but originates from an unexpected/external source IP, as the device implicitly trusts this origin. ↗
- ·The vulnerability affects Logitech Harmony Hub firmware versions prior to 4.15.206. Devices running firmware 4.15.193 (as shown in the PoC response) are confirmed vulnerable. Patch to 4.15.206 or later to remediate. ↗
- ·The device implicitly trusts any HTTP request with an Origin header matching '.myharmony.com', requiring no authentication. No credentials are needed to exploit this vulnerability. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2018-12-20
Published