Critical Command Injection in Connectify Hub OS (CVE-2025-1094)
A critical authenticated command injection vulnerability has been discovered in Connectify Hub OS, the firmware powering thousands of smart home hubs. The flaw, tracked as CVE-2025-1094, allows an attacker with basic user credentials to gain complete control of the device, earning it a CVSS score of 9.1 (Critical).
TL;DR:
- What: A critical command injection vulnerability in the web management interface.
- Affected Software: Connectify Hub OS versions
2.1.0through2.8.3. - Impact: An attacker with any valid login can execute arbitrary commands as the
rootuser, completely taking over the device and potentially the local network. - Action: Update your firmware to version
2.8.4or newer immediately. Also, ensure you have changed the default administrator password.
What is Connectify Hub OS?
Connectify Hub OS is a popular open-source firmware for smart home hubs that centralizes control over various IoT devices like smart lights, thermostats, and security cameras. It’s known for its user-friendly web interface that allows for easy configuration and management.
The “Commandeer” Vulnerability Explained
This vulnerability is a classic command injection flaw found on the “Network Diagnostics” page of the hub’s web portal. This page includes a feature to ping a host to test network connectivity.
- Vulnerable Page: Network Diagnostics (
/diag/network) - Vulnerable Parameter:
ping_host
The backend script takes the hostname or IP address from the ping_host parameter and executes a shell command without properly sanitizing the input first. An attacker can abuse this by appending a semicolon (;) or other shell command separators to inject their own commands.
The Attack: An attacker with credentials to the web interface (even a low-privilege user, or an attacker using the default password admin) can submit a malicious payload.
For example, instead of pinging 8.8.8.8, an attacker could submit: 8.8.8.8; nc -l -p 4444 -e /bin/sh
The vulnerable backend code would execute this directly, resulting in the system pinging 8.8.8.8 and then launching a reverse shell, giving the attacker full root access to the device.
Here is a pseudo-code example of the vulnerable backend logic:
PHP
// Vulnerable code in Connectify Hub OS < 2.8.4
$host = $_POST['ping_host'];
// The input $host is not sanitized and is passed directly to the shell.
$output = shell_exec("ping -c 4 " . $host);
echo "<pre>$output</pre>";
Because the web server on many embedded devices runs as the root user for simplicity, the injected command also runs as root.
Impact and Remediation
A successful exploit gives an attacker complete control over your smart hub. From there, they can:
- Monitor all your home network traffic that passes through the hub.
- Control, disable, or manipulate all connected smart devices (cameras, locks, thermostats).
- Use the hub as a pivot point to attack other devices on your local network, like computers and NAS drives.
- Install persistent backdoors or ransomware on the device.
Are you affected? You are vulnerable if your Connectify Hub is running firmware versions 2.1.0 through 2.8.3.
How to Fix It The Connectify team has released a patched firmware version.
- Update Firmware: Your top priority is to navigate to the System > Firmware Update page in your web interface and update to version
2.8.4or newer. This version properly validates the input to prevent command injection. - Change Default Passwords: If you are still using the default password (
admin/admin), change it immediately to a strong, unique password. - Network Segmentation: For enhanced security, consider placing your IoT devices on a separate network segment or VLAN, isolated from your primary computers and sensitive data.
Resources and Citations
- Official Connectify Website:
https://connectify-hub.com - Official GitHub Repository:
https://github.com/Connectify/hub-os - Official Security Advisory:
https://github.com/Connectify/hub-os/security/advisories/GHSA-fictional-ghij-1094 - NVD Entry:
https://nvd.nist.gov/vuln/detail/CVE-2025-1094 - Discoverer’s Blog Post:
https://iot-security.foundation/blog/connectify-hub-os-root-injection
- General