"Unpatched Wemo Smart Plug Bug Opens Countless Networks to Cyberattacks"

The Wemo Mini Smart Plug V2, which enables users to remotely control anything connected to it via a mobile app, contains a security flaw that cyberattackers can exploit to trigger a variety of undesirable outcomes. These include the ability to turn electronic devices on and off remotely, and the potential to move deeper into an internal network or jump to additional devices. The Smart Plug goes into an existing outlet, connecting to an internal Wi-Fi network and the Internet via Universal Plug-n-Play (UPNP) ports. Users can then control the device via a mobile app, providing a method to smarten traditional lamps, fans, and other utility items. In addition to integrating with Alexa, Google Assistant, and Apple Home Kit, the app provides features such as scheduling. According to researchers at Sternum, the flaw, tracked as CVE-2023-27217, is a buffer-overflow vulnerability that affects the device model F7C063 and allows remote command injection. However, when they contacted the device manufacturer, Belkin, for a patch, they were informed that no firmware update would be released because the device is now an end-of-life product. This article continues to discuss the command injection bug in the popular device that Belkin has no plans to address. 

Dark Reading reports "Unpatched Wemo Smart Plug Bug Opens Countless Networks to Cyberattacks"