CVE-2018-11629

Name of the Vulnerable Software and Affected Versions HomeWorks QS Lutron integration protocol versions Revision M through Revision Y

Description The issue allows attackers to gain total super user control of an IoT device through a TELNET session. Default and unremovable support credentials are used, with the username being lutron and the password being integration. The vendor disputes this as a vulnerability, stating that the accessible commands are limited to controlling lighting and do not allow arbitrary code execution or admin-level control of a machine.

Recommendations For HomeWorks QS Lutron integration protocol versions Revision M through Revision Y, consider disabling the TELNET session as a temporary workaround to minimize the risk of exploitation. Restrict access to the default support credentials to prevent unauthorized control of the IoT device. At the moment, there is no information about a newer version that contains a fix for this vulnerability.