CVE-2023-27217 is a new security vulnerability in Belkin’s second-generation Wemo Mini Smart Plug, which was discovered by Israeli IoT security company Sternum.
Belkin’s second-generation Wemo Mini Smart Plug (F7C063) was found to contain a buffer overflow vulnerability, identified as CVE-2023-27217, which could be exploited by threat actors to inject arbitrary commands remotely. Sternum researchers discovered and reported the issue to Belkin on January 9, 2023, after reverse-engineering the device and gaining firmware access.
The Wemo Mini Smart Plug V2 allows users to remotely control their electronic devices via a companion app installed on a smartphone or tablet. The vulnerability is associated with the “FriendlyName” feature, which lets users rename the smart plug from the default “Wemo mini 6E9” to a name of their choosing, limited to 30 characters or less. However, the firmware code fails to apply the validation rule enforced by the app.
How Can CVE-2023-27217 Be Exploited?
The exploit involves using a community-made Python app called PyWeMo to circumvent the Wemo app, enabling the attacker to change the device name to more than 30 characters, resulting in a buffer overflow and remote command injection.
Unfortunately, Belkin informed Sternum that the device was at the end of its life, and thus would not be receiving a fix. The bug was reported to the Mitre Corporation and assigned the CVE-2023-27217 code.
If you still own a Wemo smart plug, it is recommended that you avoid exposing the device’s UPnP ports to the internet and segmenting your network to isolate it from Wi-Fi-connected devices with more sensitive information. While these are generally good steps to take with internet-connected IoT devices, they may not always be a reliable solution.
How to Protect Against CVE-2023-27217
To protect against this issue, Sternum researchers suggest in their report that the Wemo Smart Plug V2 UPNP ports not be exposed to the internet, either directly or through port forwarding. If the Smart Plug V2 is used within a sensitive network, it should be properly segmented and not be able to communicate with any other sensitive devices on the same subnet.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: