CVE-2024-22894

MEDIUM

Alpha-innotec Heat Pumps Firmware < 2.88.3 - Weak Encryption

Title source: rule

Description

An issue fixed in AIT-Deutschland Alpha Innotec Heatpumps V2.88.3 or later, V3.89.0 or later, V4.81.3 or later and Novelan Heatpumps V2.88.3 or later, V3.89.0 or later, V4.81.3 or later, allows remote attackers to execute arbitrary code via the password component in the shadow file.

Exploits (1)

nomisec WRITEUP 3 stars

by Jaarden · poc

https://github.com/Jaarden/CVE-2024-22894

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://github.com/Jaarden/AlphaInnotec-Password-Vulnerability/

[Exploit, Third Party Advisory] https://github.com/Jaarden/CVE-2024-22894

Scores

CVSS v3 6.8

EPSS 0.0331

EPSS Percentile 87.3%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-326

Status published

Products (2)

alpha-innotec/heat_pumps_firmware < 2.88.3

novelan/heat_pumps_firmware < 2.88.3

Published Jan 30, 2024

Tracked Since Feb 18, 2026