Remote Code Execution in Verizon 5G Home Outdoor Unit
CVE-2022-28374

8.8HIGH

Key Information:

Vendor: Verizon
Status: LvskiHP Outdoorunit Firmware
Vendor: CVE Published:; 14 July 2022

What is CVE-2022-28374?

The Verizon 5G Home LVSKIHP Outdoor Unit version 3.33.101.0 is susceptible to a vulnerability where user-controlled parameters on the Settings page of the Engineering portal are not properly sanitized. This flaw permits an authenticated remote attacker within the local network to inject shell metacharacters into specific Lua scripts, allowing for remote code execution with root privileges. It is crucial for users and administrators to implement security practices to mitigate this risk.

References

https://www.verizon.com/info/reportsecurityvulnerability/

x_refsource_MISC

https://github.com/JousterL/SecWriteups/blob/main/Verizon...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 14, 2022
Vulnerability Reserved
Apr 3, 2022

CVE-2022-28374 Data

JSON