Connect with us

Hi, what are you looking for?



FreeRTOS Vulnerabilities Expose Many Systems to Attacks

Vulnerabilities discovered in the FreeRTOS operating system can expose a wide range of systems to attacks, including smart home devices and critical infrastructure, researchers warn.

Vulnerabilities discovered in the FreeRTOS operating system can expose a wide range of systems to attacks, including smart home devices and critical infrastructure, researchers warn.

FreeRTOS is an open source operating system designed specifically for microcontrollers. The OS has many use cases, including industrial applications (sensors, actuators, pumps), B2B solutions (security equipment, door locks), and consumer products (home appliances, wearable technology). Amazon, which took over the FreeRTOS project in 2017, has added cloud connectivity capabilities.freeRTOS vulnerabilities found

The commercial version of the operating system is called OpenRTOS and it’s maintained by WITTENSTEIN high integrity systems (WHIS), which also develops the safety-focused version SafeRTOS.

Researchers from Zimperium’s zLabs have analyzed FreeRTOS’s TCP/IP stack and AWS secure connectivity modules, and discovered more than a dozen vulnerabilities that also impact OpenRTOS and SafeRTOS.

Both Amazon and WHIS have developed patches for the flaws discovered by zLabs. Amazon addressed the issues with the release of FreeRTOS 1.3.2.

Since it’s an open source project, the mobile cybersecurity firm has decided not to disclose any vulnerability details for another 30 days to allow vendors to deploy the patches.

The company did, however, share some limited information about each of the flaws it discovered. The list includes four remote code execution, one denial-of-service (DoS), and seven information leakage issues.

“These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it,” zLabs said in a blog post.

Advertisement. Scroll to continue reading.

Since FreeRTOS is used by a wide range of systems, the vulnerabilities found by Zimperium researchers can be highly useful to malicious actors, including cybercriminals trying to build botnets powered by home device, and sophisticated threat actors looking to target critical infrastructure.

Related: The Path to Securing IoT Ecosystems Starts at the Network

Related: Critical Vulnerability Impacts Hundreds of Thousands of IoT Cameras

Related: Addressing IoT Device Security Head-on

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.