Login Sign Up

CVE-2024-21876

9.1 CRITICAL
Path Traversal

📋 TL;DR

This path traversal vulnerability in Enphase IQ Gateway (formerly Envoy) allows unauthenticated attackers to access or create arbitrary files via URL parameter manipulation. It affects Envoy devices from version 4.x through 8.x, excluding patched version 8.2.4225. This exposes sensitive system files and could enable further system compromise.

💻 Affected Systems

Products:
  • Enphase IQ Gateway
  • Enphase Envoy
Versions: 4.x through 8.x, excluding 8.2.4225
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. Devices must be internet-connected or network-accessible to be exploited.

📦 What is this software?

Iq Gateway Firmware by Enphase

View all CVEs affecting Iq Gateway Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including credential theft, firmware modification, persistent backdoor installation, and potential lateral movement to connected solar/battery systems

🟠

Likely Case

Unauthorized access to configuration files, credentials, and sensitive system information leading to data exposure and potential gateway takeover

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external exploitation attempts

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details available in DIVD advisory. Simple HTTP requests with crafted parameters can trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.2.4225

Vendor Advisory: https://enphase.com/cybersecurity/advisories/ensa-2024-1

Restart Required: Yes

Instructions:

1. Log into Enphase Installer Toolkit 2. Check current firmware version 3. If below 8.2.4225, initiate firmware update 4. Wait for automatic restart and verification

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Enphase gateways from untrusted networks and internet access

Access Control Lists

all

Implement firewall rules to restrict access to gateway management interface

🧯 If You Can't Patch

  • Segment gateway on isolated VLAN with strict firewall rules
  • Implement network monitoring for path traversal patterns in HTTP requests

🔍 How to Verify

Check if Vulnerable:

Check firmware version via Enphase Installer Toolkit or web interface. If version is between 4.x and 8.x and not 8.2.4225, device is vulnerable.

Check Version:

curl -s http://[gateway-ip]/info | grep firmware_version

Verify Fix Applied:

Confirm firmware version shows 8.2.4225 or higher in Enphase Installer Toolkit

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests with ../ patterns in URL parameters
  • Unusual file access patterns in system logs
  • Failed authentication attempts followed by file access

Network Indicators:

  • HTTP requests containing path traversal sequences (../, ..\, %2e%2e%2f)
  • Multiple file access attempts from single source
  • Requests to unusual file paths on gateway

SIEM Query:

http.url:*%2e%2e%2f* OR http.url:*..%2f* OR http.url:*..\* destination.ip:[gateway-ip]

📊 Metadata

CVE ID: CVE-2024-21876
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-22
Published: August 12, 2024
Last Updated: August 23, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21876, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)