Google Nest WiFi Pro root code-execution & user-data compromise
The vulnerability is related to lack of encryption of sensitive data (CWE-311), which may enable interception or manipulation of device communication. The flaw allows an unauthenticated remote attacker to execute arbitrary code in a privileged (root) context on the device. The scope of the attack extends beyond the device itself (Scope: Changed), meaning potential impact on other systems in the network.
An attacker can gain full control of the device with root privileges, leading to complete breach of confidentiality, integrity, and availability of the system and user data stored or transmitted through the router.
Apply patches available from the manufacturer according to the references (https://support.google.com/product-documentation/answer/14273332). It is recommended to immediately update the device firmware to the version indicated by Google as secure.
Google Nest WiFi Pro and its firmware – specific versions indicated in manufacturer references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HGoogle Nest Wifi Pro
HWGooglewszystkie wersjeGoogle Nest Wifi Pro Firmware
OSGooglewszystkie wersje
Related vulnerabilities
Wyciek pamięci Trusted Application w urządzeniach Google Nest Wifi
U-Boot environment is read from unauthenticated partition.
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Type confusion w V8 (Google Chrome/Edge) umożliwiający heap corruption
Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML