zeroscience
ZSL Bot v4.89.1.00
Python:
#!/usr/bin/env python3
#
#
# SIP Sustainable Irrigation Platform 5.x (cli_control) Remote Code Execution
#
#
# Vendor: Dan-in-CA
# Product web page: https://github.com/Dan-in-CA/SIP
# Affected version: 5.2.16
#
# Summary: SIP is a free Raspberry Pi based Python program for
# controlling irrigation systems (sprinkler, drip, hydroponic,
# etc). It uses web technology to provide an intuitive user
# interface (UI) in several languages. The UI can be accessed
# in your favorite browser on desktop, laptop, and mobile devices.
# SIP has also been used to control pumps, lights, and other Irrigation
# related equipment.
#
# Desc: SIP executes user-configured operating-system commands
# when an irrigation station changes state, if the optional cli_control
# plugin is installed and enabled. This can be exploited to run
# arbitrary commands on the affected host by storing a command
# through the plugin's HTTP endpoint and then activating the associated
# station. When the optional passphrase is not enabled (factory
# default) both steps require no authentication, and where the
# passphrase is enabled it defaults to 'opendoor' and the same
# result is reachable through cross-site request forgery.
#
# Tested on: Debian GNU/Linux 11 (bullseye) raspberrypi 6.1.21+ (armv6l/aarch64)
# Python 3.9.2
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2026-5999
# Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5999
#
#
# 24.06.2026
#
from http.server import BaseHTTPRequestHandler, HTTPServer
import urllib.parse
import http.client
import threading
import datetime
import time
import ssl
import sys
if __name__ == "__main__":
main()
ZSL-2026-5999: SIP Sustainable Irrigation Platform 5.x (cli_control) Remote Code Execution
ZSL-2026-5999: SIP Sustainable Irrigation Platform 5.x (cli_control) Remote Code Execution