Arris VIP1113 Bootloader Shell Injection Vulnerability Allowing Root Access and Firmware Modification

A bootloader shell injection vulnerability has been identified in Arris VIP1113 devices running KreaTV SDK, prior to May 30, 2025. This vulnerability allows arbitrary code execution with root privileges, bypasses secure boot, and enables attackers to dump encryption keys and load custom firmware. The issue arises because the second stage bootloader executes user-controlled settings without proper escaping, creating an opportunity to inject commands that overwrite system executables.

Impact

Exploitation of this vulnerability provides root access to the device, allowing for unauthorized modifications and execution of arbitrary code with elevated privileges.

Reproduction

The vulnerability can be reproduced by accessing a hidden configuration menu in the Arris VIP1113 remote control. Once the menu is unlocked, settings can be injected that will be passed directly to the command line of the bootloader. By manipulating the 'remote_file' parameter of the TFTP command, it's possible to overwrite any executable on the device's file system. After replacing a binary with a malicious one, the bootloader can be instructed to execute it as the root user.