Vulnerabilities discovered in the FreeRTOS operating system can expose a wide range of systems to attacks, including smart home devices and critical infrastructure, researchers warn.
FreeRTOS is an open source operating system designed specifically for microcontrollers. The OS has many use cases, including industrial applications (sensors, actuators, pumps), B2B solutions (security equipment, door locks), and consumer products (home appliances, wearable technology). Amazon, which took over the FreeRTOS project in 2017, has added cloud connectivity capabilities.
The commercial version of the operating system is called OpenRTOS and it’s maintained by WITTENSTEIN high integrity systems (WHIS), which also develops the safety-focused version SafeRTOS.
Researchers from Zimperium’s zLabs have analyzed FreeRTOS’s TCP/IP stack and AWS secure connectivity modules, and discovered more than a dozen vulnerabilities that also impact OpenRTOS and SafeRTOS.
Both Amazon and WHIS have developed patches for the flaws discovered by zLabs. Amazon addressed the issues with the release of FreeRTOS 1.3.2.
Since it’s an open source project, the mobile cybersecurity firm has decided not to disclose any vulnerability details for another 30 days to allow vendors to deploy the patches.
The company did, however, share some limited information about each of the flaws it discovered. The list includes four remote code execution, one denial-of-service (DoS), and seven information leakage issues.
“These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it,” zLabs said in a blog post.
Since FreeRTOS is used by a wide range of systems, the vulnerabilities found by Zimperium researchers can be highly useful to malicious actors, including cybercriminals trying to build botnets powered by home device, and sophisticated threat actors looking to target critical infrastructure.
Related: The Path to Securing IoT Ecosystems Starts at the Network
Related: Critical Vulnerability Impacts Hundreds of Thousands of IoT Cameras
Related: Addressing IoT Device Security Head-on

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
Latest News
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
