CVE-2022-28373

Name of the Vulnerable Software and Affected Versions Verizon 5G Home LVSKIHP InDoorUnit (IDU) version 3.4.66.162

Description The issue arises from improper sanitization of user-controlled parameters within the crtcreadpartition function of the crtcrpc JSON listener in /usr/lib/lua/luci/crtc.lua. This allows a remote attacker on the local network to inject shell metacharacters, achieving remote code execution as root.

Recommendations For version 3.4.66.162, consider disabling the crtcreadpartition function until a patch is available to prevent remote code execution. Restrict access to the /usr/lib/lua/luci/crtc.lua file to minimize the risk of exploitation. Avoid using user-controlled parameters in the affected JSON listener until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.