IoT Under Fire: Critical CVSS 10 Expression Injection Hits OpenRemote Platform
Ddos 
Security researchers have sounded a major alarm for the internet-of-things (IoT) sector as OpenRemote, a popular 100% open-source management platform, disclosed a maximum-severity vulnerability. The flaw, tracked as CVE-2026-39842, carries a CVSS score of 10, indicating the highest possible risk to organizations utilizing the platform for device management and automation.
OpenRemote is widely used to build complete IoT solutions, ranging from auto-provisioning and asset customization to complex automation using JavaScript and Groovy rules. However, researchers found that the very rules engine designed to empower users could be turned into a key for attackers.
The vulnerability centers on two interrelated critical expression injection flaws within the platform’s rules engine. These flaws allow an attacker to execute arbitrary code directly on the server, bypass security layers, and achieve full server compromise.
The first major issue involves the Nashorn JavaScript Engine. OpenRemote executes JavaScript-based automation rules via the ScriptEngine.eval() function.
Investigators discovered that these rules are executed with:
- Zero Sandboxing: There are no restricted environments to contain malicious scripts.
- No Class Filtering: Attackers can access any Java class on the host system.
- Low Entry Barrier: Critically, this is not limited to superusers; any user with the “write:rules” role can create these rulesets and trigger the injection.
While the JavaScript engine is the primary point of failure, the Groovy rules engine was also found to be fundamentally insecure. While a security filter known as DenyAllFilter was defined in the code, it was never actually registered.
“The registration code is commented out, rendering the SandboxTransformer ineffective,” the advisory explains.
While Groovy rules are currently restricted to superusers, the lack of an active sandbox represents a major violation of the defense in depth principle.
Because OpenRemote handles sensitive operations like device management, multi-tenancy, and insights dashboards, the impact of a full server takeover is absolute. An attacker could potentially seize control of all connected IoT assets, exfiltrate data, or disrupt automation flows across an entire organization.
The OpenRemote development team has moved quickly to address these gaps. Administrators are urged to upgrade to 1.22.0 immediately.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
