Weak Access Control in Verizon 5G Home Devices
CVE-2022-28377

7.5HIGH

Key Information:

Vendor: Verizon
Status: LvskiHP Indoorunit Firmware
Vendor: CVE Published:; 14 July 2022

What is CVE-2022-28377?

Verizon 5G Home devices, specifically the InDoorUnit (IDU) and OutDoorUnit (ODU), exhibit a serious access control vulnerability due to reliance on static username and password combinations for the CRTC and ODU RPC endpoints. An attacker can generate this password using included firmware binaries by manipulating the MAC address of the IDU's base Ethernet interface, leading to potential unauthorized access and exploitation of the device's functionalities. This issue underscores the necessity for improved access controls and prompt firmware updates to mitigate risks associated with static credential usage.

References

https://www.verizon.com/info/reportsecurityvulnerability/

x_refsource_MISC

https://github.com/JousterL/SecWriteups/blob/main/Verizon...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 14, 2022
Vulnerability Reserved
Apr 3, 2022

CVE-2022-28377 Data

JSON