CVE-2020-22000

HIGH

HomeAutomation 3.3.2 - Authenticated OS Command Injection via Custom Command Plugin

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-22000. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates a CSRF-based remote command execution vulnerability in HomeAutomation 3.3.2 via unsanitized input to the 'set_command_on' parameter, which is passed to PHP's exec() function. The PoC includes a reverse shell payload to achieve RCE as the web user.

Description

HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with a CSRF vulnerability to execute arbitrary shell commands as the web user via the 'set_command_on' and 'set_command_off' POST parameters in '/system/systemplugins/customcommand/customcommand.plugin.php' by using an unsanitized PHP exec() function.

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · textwebappsphp
https://www.exploit-db.com/exploits/47809

This exploit demonstrates a CSRF-based remote command execution vulnerability in HomeAutomation 3.3.2 via unsanitized input to the 'set_command_on' parameter, which is passed to PHP's exec() function. The PoC includes a reverse shell payload to achieve RCE as the web user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: HomeAutomation 3.3.2
Auth required
Prerequisites: Authenticated access to the application · CSRF vulnerability to bypass authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5560.php
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/47809

Scores

CVSS v3 8.0
EPSS 0.0106
EPSS Percentile 60.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-78 CWE-352
Status published
Products (1)
homeautomation_project/homeautomation 3.3.2
Published Apr 27, 2021
Tracked Since Feb 18, 2026