cbcvebase.
CVE-2023-27482
published 2023-03-08

CVE-2023-27482: homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through…

PriorityP190critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.97%
99.4th percentile
homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered. This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older. Installation types, like Home Assistant Container (for example Docker), or Home Assistant Core manually in a Python environment, are not affected. The issue has been mitigated and closed in Supervisor version 2023.03.1, which has been rolled out to all affected installations via the auto-update feature of the Supervisor. This rollout has been completed at the time of publication of this advisory. Home Assistant Core 2023.3.0 included mitigation for this vulnerability. Upgrading to at least that version is thus advised. In case one is not able to upgrade the Home Assistant Supervisor or the Home Assistant Core application at this time, it is advised to not expose your Home Assistant instance to the internet.

Affected

4 ranges
VendorProductVersion rangeFixed in
home-assistantcore< 2023.3.22023.3.2
home-assistanthome-assistant< 2023.3.02023.3.0
home-assistantsupervisor< 2023.03.32023.03.3
home-assistantsupervisor< 2023.03.12023.03.1

Detection & IOCsextracted from sources · hover to see the quote

urlGET /api/hassio/app/.%252e/supervisor/info
urlGET /api/hassio/app/.%09./supervisor/info
urlGET /api/hassio_ingress/.%09./supervisor/info
path/api/hassio/app/.%252e/supervisor/info
path/api/hassio/app/.%09./supervisor/info
path/api/hassio_ingress/.%09./supervisor/info
  • Detect path traversal attempts against Home Assistant Supervisor API using double-encoded dot-dot (%252e) in the /api/hassio/app/ path
  • Detect authentication bypass attempts using tab-encoded path traversal (.%09.) against /api/hassio/app/ endpoint (Mitigation bypass 1)
  • Detect authentication bypass attempts using tab-encoded path traversal (.%09.) against /api/hassio_ingress/ endpoint with X-Hass-Is-Admin:1 header (Mitigation bypass 2)
  • Successful exploitation returns HTTP 200 with Content-Type: application/json and JSON body containing 'slug', 'name', and 'ip_address' fields — indicating unauthenticated Supervisor API access
  • Look for the custom header X-Hass-Is-Admin:1 in requests to /api/hassio_ingress/ traversal paths as an indicator of exploitation attempt
  • Shodan/FOFA exposure: Home Assistant instances exposed to the internet can be identified via title 'Home Assistant' and are candidates for this attack
  • ·Only Home Assistant installations using the Supervisor are affected; Home Assistant Container (Docker) and Home Assistant Core in a Python environment are NOT vulnerable
  • ·The vulnerability affects Supervisor version 2023.01.1 and older; Supervisor 2023.03.1 and Home Assistant Core 2023.3.0 include the fix/mitigation

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.