Security misconfiguration in IKEA DIRIGERA smart hub web server exposes large parts of the root filesystem (GCVE-2342-2026-1)

Pentagrid AG — Wed, 17 Jun 2026 13:42:00 GMT

IKEA produces smart home devices and their newest generation uses the central DIRIGERA smart hub. After extracting the firmware, we started hunting for vulnerabilities of the device and found: An unauthenticated attacker on the network can download large parts of the files from the DIRIGERA hub root filesystem. This affects files that are accessible to the service user license-server. These include binaries, firmware files, API keys and in general a lot of proprietary code written by Inter IKEA Systems.

Timeline

2026-03-18: Vulnerability was discovered.
2026-03-19: Tried to identify security contacts by checking IKEAS's security.txt, their GPG key and the web. The available online form for submissions was incompatible with Pentagrid's disclosure policy. Tried to contact security@ikea.com by guessing the address, but the e-mail was bounced. Tried to reach out to IKEA via Linkedin and got afterwards contacted by Inter IKEA Systems.
2026-03-23: IKEA confirms they are handling the security reports. Pentagrid sends a draft of this advisory.
2026-03-26: Pentagrid contacts IKEA for a status update. IKEA confirms they are still triaging the issue.
2026-04-29: Pentagrid contacts IKEA for a status update.
2026-05-04: IKEA sends an update: The issue was a duplicate and reported shortly before Pentagrid's submission on Hackerone. A fix was released to production in the 2.934.1 release, which was released on 2026-04-09. The fix removes the license-server component from the build and that functionality has been reworked to be handled elsewhere outside of the hub. Pentagrid asks if disclosure could happen already. IKEA responds with with a list of questions regarding the disclosure.
2026-05-06: Pentagrid responds to the list of questions and provides an early draft of this blog post.
2026-05-13: Pentagrid asked for an update.
2026-05-27: IKEA agrees that the provided answers/blog post draft are in order with them and Pentagrid can proceed as planned.
2026-06-17: 90 days disclosure deadline and publication.

Unauthenticated file download via licensing server

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N, 5.8 Medium

Affected Components

The affected component is the IKEA DIRIGERA smart home hub created by Inter IKEA Systems. The device runs a busybox httpd web server on TCP port 8082, which runs as a systemd service under user license-server.

An initial firmware dump prior to the update showed the version information below. The system remained vulnerable after an update to a new firmware on 2026-03-18.

[HomeSmart/Bootchain : 2.556]

and

/etc/version
20180309123456

The vulnerability was fixed in version 2.934.1.

Summary

An unauthenticated attacker on the network can download many files from the DIRIGERA hub root filesystem. The files must be accessible to the Linux user license-server. These include binaries, firmware files, API keys as well as proprietary code written by Inter IKEA Systems.

Impact

During the analysis Pentagrid was able to download 9639 files from 3149 folders from the embedded device's filesystem over the network without any authentication. These files include:

/usr/share/config/platform/data/settings.json which includes the API key that is the same for two analysed DIRIGERA hubs.
/boot/m4-firmware which is assumed to be the Cortex M4 firmware.
Most binaries files -- here it becomes apparent that busybox is used since most of /bin/* binaries return the same (busybox) file.
Configurations of services such as the vulnerable /lib/systemd/system/license-server.service.
Intellectual property of Inter IKEA Systems B.V., e.g. shell code of /usr/sbin/boot-complete.sh.
Operational parameters that are stored in /usr/share/{factory, config, persist}.

The usage of systemd service hardening, the usage of the STSAFE enviroment, and proper Linux user permissions limits the impact. To the best of our knowledge no client specific cryptographic material is exposed to the network. What is assumed to be the client certificate under /usr/local/gw/datad/certs/cert_datacloud.crt is not accessible and would further require the protected STSAFE secret for the also inaccessible /usr/local/gw/datad/certs/key_datacloud.key.

The extracted files expose configurations, intellectual property, proprietary software, and firmware of the Ikea DIRIGERA hub, such as the vulnerabilities of the license server that is exploited here. The impact of exposed software versions is considered insignificant since the license server gives a comprehensive overview about the used software and versions regardless.

Technical Details

The vulnerability originates from the misconfigured systemd service: /lib/systemd/system/license-server.service. It serves a httpd server on port 8082 with a configuration file under /usr/share/common-licenses/httpd.conf.

Excerpt from file license-server.service:

ExecStart=httpd -f -p 8082 -c /usr/share/common-licenses/httpd.conf

Excerpt from file httpd.conf:

I:/usr/share/common-licenses/license_summary.txt

/usr/share/common-licenses/license_summary.txt includes all the licensing information of the software running on the DIRIGERA hub. This file is the only content that is intended to be accessible via the web endpoint.

Yet, if an unauthroized user visits the endpoint and appends any file system path to the base URL, the webserver returns the file contents or starts a file download, e.g.:

dirigera.example.local is here the hostname of the DIRIGERA hub.

The webserver serves these additional files due to a non-specified home directory in a busybox httpd service. The httpd call inside the systemd service does not specify the -h parameter (home/server root directory). Further, the configuration file /usr/share/common-licenses/httpd.conf only specifies the index file via tag I: but also does not specifiy the home directory using the tag H: (called server root in the configuration file). As a result, the webserver defaults to the current directory as the root directory of the webserver which is also the root directory of the entire file system (/).

All accessible files return status code 200. To identify existing folders they must be called without the tailing /, e.g. send GET request to http://dirigera.example.local:8082/usr/share/persist/tee to get status code "302 Found" and a location reference to /usr/share/persist/tee/. Directly requesting /usr/share/persist/tee/ results in status code "404 Not Found", which does not provide information to discriminate folder existence. Note, that besides the information gained from the files, attackers can gain additional information about the file system's structure by checking if a folder exists and is accessible: e.g. /usr/share/persist/tee/ is known to exist even though all files inside the folder are inaccessible.

To scrape all 12788 files and directories, Pentagrid used a preconfigured wordlist based on the extracted firmware from another DIRIGERA hub. The total number of accessible entities is a lower (but confirmed) limit since crawling the licence endpoint/filesystem was done based on a non-comprehensive wordlist. The crawling wordlist included only known paths from partitions 9, 10, 11, 13, 14, 15, 16, 17, 18, and 20 of the emmc flash with partitions 15, 16/17, and 18/19 mounted under /usr/share/{factory, config, persist}.

The system tries to limit access with systemd service hardening, especially the InaccessiblePaths setting in combination with the Linux user permissions — although this is not sufficient, it prevents further exploitation.

Precondition

An attacker needs access to TCP port 8082 of the IKEA DIRIGERA smart hub. Prior knowledge of the filesystem structure is not necessary but can reduce the time required to scrape the entire contents of the filesystem. A version before the 2.934.1 release has to be installed.

Recommendation

Install firmware version 2.934.1 released on 2026-04-09 or a later one. The fix removes the license-server component from the build and the functionality has been reworked to be handled elsewhere outside of the hub.

If you are using busybox httpd in a similar scenario, it is recommended to:

provide a "Home directory" to httpd by via command line or configuration file.
establish an allowlist to only expose the intended files. Beware, that busybox httpd config files are far more limited in their capabilities to restrict file access compared to their non-busybox alternative.
apply additional systemd service hardening.
not solely rely on systemd service denylisting with InaccessiblePaths to administer the served content as denylisting is bad practise for access control.

Credits

This vulnerability was discovered by Yannic 'toxsos' Hemmer (Pentagrid).

Pentagrid AG (Einträge über Embedded device)