CVE-2021-31505

Name of the Vulnerable Software and Affected Versions Arlo Q Plus version 1.9.0.3 278

Description This issue allows attackers with physical access to escalate privileges on affected installations. Authentication is not required to exploit this issue. The specific flaw exists within the SSH service, where the device can be booted into a special operation mode and hard-coded credentials are accepted for SSH authentication. An attacker can leverage this issue to escalate privileges and execute arbitrary code in the context of root.

Recommendations For Arlo Q Plus version 1.9.0.3 278, as a temporary workaround, consider disabling the SSH service until a patch is available. Restrict physical access to the device to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.