CVE-2018-11681

Name of the Vulnerable Software and Affected Versions Lutron RadioRA 2 versions Revision M through Revision Y

Description The issue allows attackers to gain total super user control of an IoT device through a TELNET session. Default and unremovable support credentials are used, with the username nwk and password nwk2. The vendor disputes this as a vulnerability, stating that the accessible commands are limited to controlling lighting and do not allow arbitrary code execution or admin-level control of a machine.

Recommendations For versions Revision M through Revision Y, consider disabling the TELNET session as a temporary workaround to minimize the risk of exploitation. Restrict access to the default support credentials to prevent unauthorized control of the IoT device.