EyeLock’s nano NXT firmware latest version 3.5 (released 25.07.2016) suffers from multiple unauthenticated command injection vulnerabilities. The issue lies within the ‘rpc.php’ script located in the ‘/scripts’ directory and can be triggered when user supplied input is not correctly sanitized while updating the local time for the device and/or get info from remote time server. The vulnerable script has two REQUEST parameters ‘timeserver’ and ‘localtime’ that are called within a shell_exec() function for setting the local time and the hardware clock of the device. An attacker can exploit these conditions gaining full system (root) access and execute OS commands on the affected device by injecting special characters to the affected parameters and further bypass the access control in place.