Security researchers have found and reported 14 vulnerabilities in the BusyBox userspace tool that's used in millions of embedded devices running Linux-based firmware. While the flaws don't have high criticality, some of them do have the potential to result in remote code execution (RCE). These flaws highlight the need for consistent IoT updates.

BusyBox is a software utilities suite that its creators describe as the Swiss army knife of embedded Linux. It contains implementations of the most common Linux command-line tools, together with a shell and a DHCP client and server, all packaged as a single binary. BusyBox has become a de facto standard in the embedded Linux userspace, its standalone binary having support for over 300 common Linux commands.

"You’re likely to find many OT and IoT devices running BusyBox, including popular programmable logic controllers (PLCs), human-machine interfaces (HMIs), and remote terminal units (RTUs)—many of which now run on Linux," researchers from DevOps specialist firm JFrog said in a report. "We inspected JFrog’s database of more than 10,000 embedded firmware images [...]. We found that 40% of them contained a BusyBox executable file that is linked with one of the affected applets, making these issues extremely widespread among Linux-based embedded firmware.