Update to fix potential vulnerability in FTP access of the Miniserver

Luke Murphy
26th January 2022 in Technology

At Loxone, we regularly carry out security audits to ensure the continuous safety of our systems.

During our last audit on 24 January 2022, we discovered a security vulnerability related to FTP access of Miniservers running firmware versions 12.1.6.17, 12.1.7.16, 12.2.10.27 and 12.2.11.5.

This vulnerability can be used, in rare scenarios, in installations where attackers gain FTP access to the Miniserver, allowing them to modify data.

Our team has created a new version to fix this issue. This version (12.2.12.1) is now available to download, and we strongly recommend all Miniservers running versions 12.1.6.17, 12.1.7.16, 12.2.10.27 and 12.2.11.5 be updated.

Today, a notification prompt was pushed via the Loxone App – enabling users with the relevant permissions to initiate the update themselves. The new version does not include any other changes apart from fixing the security vulnerability.

There are no known cases of an attacker exploiting this vulnerability. However, as always, we recommend keeping all customer installations up to date. The update completely prevents a potential attack scenario and thus ensures maximum security.