CVE-2022-28374

Name of the Vulnerable Software and Affected Versions Verizon 5G Home LVSKIHP OutDoorUnit (ODU) version 3.33.101.0

Description The issue concerns the lack of proper sanitization of user-controlled parameters within the DMACC URLs on the Settings page of the Engineering portal. This allows an authenticated remote attacker on the local network to inject shell metacharacters into /usr/lib/lua/5.1/luci/controller/admin/settings.lua, achieving remote code execution as root.

Recommendations For version 3.33.101.0, consider disabling access to the Settings page of the Engineering portal until a patch is available. Restrict access to the /usr/lib/lua/5.1/luci/controller/admin/settings.lua file to minimize the risk of exploitation. Avoid using user-controlled parameters within the DMACC URLs until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.