Wattsense Bridge Authenticated Remote Root Access Vulnerability via Malicious Python File Upload

A vulnerability exists in the Wattsense Bridge devices that allows authenticated attackers to upload harmful Python files through the Plugin Manager in the web interface. This action can lead to remote root access on the device. The vulnerability is present in Wattsense Bridge firmware versions prior to 6.1.0. To exploit this vulnerability, an attacker must have a valid user account on the Wattsense web interface and access to a bridge device that is connected to the internet.

Impact

Exploitation of this vulnerability allows for authenticated remote root access to the affected Wattsense Bridge device.

Reproduction

To reproduce this vulnerability, an authenticated user must access the Wattsense Bridge web interface and navigate to the Plugin Manager. Once there, the user can upload a malicious Python file designed to exploit the vulnerability. The uploaded file can then be executed on the device, granting root access.

Remediation

Users are advised to update to Wattsense Bridge firmware version 6.1.0 or later.