CVE-2019-12780

The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. A...

Basic Information

CVE State: PUBLISHED
Reserved Date: June 10, 2019
Published Date: June 10, 2019
Last Updated: August 04, 2024
Vendor: Belkin
Product: Wemo Enabled Crock-Pot
Description: The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. A simple POST request to /upnp/control/basicevent1 can allow an attacker to execute commands without authentication.

CVSS Scores

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Score

Score: 39.37% (Percentile: 97.10%) as of 2025-05-26

Exploit Status

Exploited in the Wild: Yes (2025-05-05 00:00:00 UTC) Source

References

https://www.exploit-db.com/exploits/46436

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-04-28 00:00:00 UTC

Timeline

CVE ID Reserved

June 10, 2019
CVE Published to Public

June 10, 2019
Added to KEVIntel

April 28, 2025