CVE-2024-29019
📋 TL;DR
This CSRF vulnerability in ESPHome's dashboard component allows attackers to perform unauthorized configuration file operations (create, edit, delete) by tricking a logged-in user into visiting a malicious webpage. It affects ESPHome version 2023.12.9 and earlier, and can be chained with CVE-2024-27287 for complete account takeover. Users running vulnerable ESPHome installations are at risk.
💻 Affected Systems
- ESPHome
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover when chained with CVE-2024-27287, allowing attacker to modify device configurations, deploy malicious firmware, and gain persistent access to IoT devices.
Likely Case
Unauthorized modification or deletion of ESPHome configuration files, potentially disrupting device functionality or enabling further attacks.
If Mitigated
Limited impact if proper network segmentation and user awareness prevent malicious page visits, though risk remains if dashboard is exposed.
🎯 Exploit Status
Exploitation requires user interaction (visiting malicious page) and a logged-in session. CSRF attacks are well-understood and easy to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.3.0
Vendor Advisory: https://github.com/esphome/esphome/security/advisories/GHSA-5925-88xh-6h99
Restart Required: Yes
Instructions:
1. Update ESPHome to version 2024.3.0 or later using 'pip install --upgrade esphome'. 2. Restart the ESPHome dashboard service. 3. Verify the update with 'esphome version'.
🔧 Temporary Workarounds
Disable Dashboard API
allTemporarily disable the vulnerable dashboard API endpoints if immediate patching isn't possible.
Edit ESPHome configuration to remove or comment out dashboard API settings
Network Segmentation
allRestrict access to ESPHome dashboard to trusted internal networks only.
Configure firewall rules to block external access to ESPHome dashboard port (typically 6052)
🧯 If You Can't Patch
- Implement strict SameSite cookie policies and CSRF tokens via reverse proxy configuration.
- Isolate ESPHome dashboard on separate VLAN with no internet access and require VPN for administration.
🔍 How to Verify
Check if Vulnerable:
Run 'esphome version' and check if version is 2023.12.9 or earlier.Check Version:
esphome versionVerify Fix Applied:
Confirm version is 2024.3.0 or later with 'esphome version' and test dashboard functionality.📡 Detection & Monitoring
Log Indicators:
- Unexpected configuration file modifications via API
- API requests without proper CSRF tokens
- Multiple failed authentication attempts followed by successful API calls
Network Indicators:
- External requests to ESPHome dashboard API endpoints
- CSRF payloads in HTTP requests
SIEM Query:
source="esphome" AND (event="config_modified" OR event="api_call") AND user_agent CONTAINS "malicious"