CVE-2018-18638
HIGHNeato Botvac Connected 2.2.0 - OS Command Injection via NTP Field in Setup API
Title source: llmDescription
A command injection vulnerability in the setup API in the Neato Botvac Connected 2.2.0 allows network attackers to execute arbitrary commands via shell metacharacters in the ntp field within JSON data to the /robot/initialize endpoint.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/security-in-a-vacuum-hacking-the-neato-botvac-connected-part-1/
Scores
CVSS v3
8.1
EPSS
0.0283
EPSS Percentile
84.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (1)
neatorobotics/botvac_connected_firmware
2.2.0
Published
Oct 24, 2018
Tracked Since
Feb 18, 2026