We have received a notification from security research organisation recently about Mongoose Networking library vulnerability.
The advisory was concerning handling of the multipart upload code: http://seclists.org/fulldisclosure/2017/Apr/8 .
Prior to making that disclosure public, we have updated our customers and then released the public patch and a stable branch https://github.com/cesanta/mongoose/tree/6.7.1.
The advisory tells about denial of service on Mongoose OS. However it should be noted that on low-power microcontrollers which Mongoose OS targets, it is very trivial to do a denial of service if a microcontroller acts as a server (due to the limited RAM available). Just fire several netcat sessions from your terminal and your microcontroller is down, so there is no need to exploit any vulnerabilities.
Both Mongoose OS and Mongoose Networking library are fixed at this moment. Please make sure you're using the latest stable version.
As a security best practice we recommend to avoid using device in the server mode. Instead make it a client, talking to a backend, reporting data and reacting on commands. That way you will prevent the large class of security attacks.