Remote Code Execution Vulnerability in Verizon 5G Home Indoor Units
CVE-2022-28373

9.8CRITICAL

Key Information:

Vendor: Verizon
Status: LvskiHP Indoorunit Firmware
Vendor: CVE Published:; 14 July 2022

What is CVE-2022-28373?

The Verizon 5G Home Indoor Unit version 3.4.66.162 is susceptible to a remote code execution vulnerability due to improper sanitization of user-controlled parameters in the crtcreadpartition function of its JSON listener. An attacker with local network access could exploit this flaw by injecting shell metacharacters, potentially allowing them to execute arbitrary commands with root privileges. This poses a significant security risk, as it could compromise the integrity and availability of the device.

References

https://www.verizon.com/info/reportsecurityvulnerability/

x_refsource_MISC

https://github.com/JousterL/SecWriteups/blob/main/Verizon...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 14, 2022
Vulnerability Reserved
Apr 3, 2022

CVE-2022-28373 Data

JSON