CVE-2018-18638

HIGH

Neato Botvac Connected 2.2.0 - OS Command Injection via NTP Field in Setup API

Title source: llm
STIX 2.1

Description

A command injection vulnerability in the setup API in the Neato Botvac Connected 2.2.0 allows network attackers to execute arbitrary commands via shell metacharacters in the ntp field within JSON data to the /robot/initialize endpoint.

Scores

CVSS v3 8.1
EPSS 0.0283
EPSS Percentile 84.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (1)
neatorobotics/botvac_connected_firmware 2.2.0
Published Oct 24, 2018
Tracked Since Feb 18, 2026