Authentication Bypass in Verizon 5G Home Devices
CVE-2022-28376

8.1HIGH

Key Information:

Vendor: Verizon
Status: LvskiHP Firmware
Vendor: CVE Published:; 3 April 2022

What is CVE-2022-28376?

The Verizon 5G Home LVSKIHP devices are susceptible to unauthorized access due to a flaw in their authentication process. An attacker can exploit the vulnerability by simply knowing the device's serial number to gain access to the CPE administration web interface, typically located at the 10.0.0.1 IP address. The password for the administrator account is generated using a predictable method, which combines the device's serial number with the model identifier. This weakness allows the extraction of the first and last seven characters of the SHA-256 hash of the concatenated string, posing a significant threat to device security and user data confidentiality.

References

https://www.reddit.com/r/verizon/comments/sstq4c/5g_home_...

x_refsource_MISC

https://github.com/JousterL/SecWriteups/blob/main/Verizon...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2022
Vulnerability Reserved
Apr 3, 2022

CVE-2022-28376 Data

JSON