RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT devices. A Remote Code Execution (RCE) vulnerability in the file upload facility of the WebUI interface of RaspberryMatic exists. Missing input validation/sanitization in the file upload mechanism allows remote, unauthenticated attackers with network access to the WebUI interface to achieve arbitrary operating system command execution via shell metacharacters in the HTTP query string. Injected commands are executed as root, thus leading to a full compromise of the underlying system and all its components. Versions after `2.31.25.20180428` and prior to `3.63.8.20220330` are affected. Users are advised to update to version `3.63.8.20220330` or newer. There are currently no known workarounds to mitigate the security impact and users are advised to update to the latest version available.
Conclusion & alert: CVE-2022-24796 is rated High Risk (70.8/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 3.52%). Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-17 | 3.42% | 3.52% | +0.10% |
| 2 | 2026-06-15 | 6.44% | 3.42% | -3.02% |
| 3 | 2025-11-21 | — | 6.44% | — |
Full EPSS history (19 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 10.0 | 3.1 | CRITICAL |
|
3.9 | 6.0 | [email protected] |
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 10.0 | 2.0 | HIGH |
|
10.0 | 10.0 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| raspberrymatic | raspberrymatic | >= 2.31.25.20180428, < 3.63.8.20220330 | cpe:2.3:o:raspberrymatic:raspberrymatic:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/jens-maus/RaspberryMatic/commit/34854659a63e9fb3ad529bb413e96978c6450a53 | Patch Third Party Advisory |
| https://github.com/jens-maus/RaspberryMatic/security/advisories/GHSA-g7vv-7rmf-mff7 | Patch Third Party Advisory |