CVE-2022-28372

Name of the Vulnerable Software and Affected Versions Verizon 5G Home LVSKIHP InDoorUnit (IDU) version 3.4.66.162 Verizon 5G Home LVSKIHP OutDoorUnit (ODU) version 3.33.101.0

Description The CRTC and ODU RPC endpoints in the affected devices provide a means of provisioning a firmware update via crtc fw upgrade or crtcfwimage. However, the URL provided is not validated, allowing for arbitrary file upload to the device. This issue is present in /lib/lua/luci/crtc.lua (IDU) and /lib/functions/wnc jsonsh/wnc crtc fw.sh (ODU).

Recommendations For Verizon 5G Home LVSKIHP InDoorUnit (IDU) version 3.4.66.162, consider disabling the crtc fw upgrade and crtcfwimage functions until a patch is available. For Verizon 5G Home LVSKIHP OutDoorUnit (ODU) version 3.33.101.0, restrict access to the /lib/functions/wnc jsonsh/wnc crtc fw.sh script to minimize the risk of exploitation. As a temporary workaround, avoid using the crtc fw upgrade and crtcfwimage functions in the affected API endpoints until the issue is resolved.