CVE-2022-28375

Name of the Vulnerable Software and Affected Versions Verizon 5G Home LVSKIHP OutDoorUnit (ODU) version 3.33.101.0

Description The issue arises from improper sanitization of user-controlled parameters within the crtcsimprofile function of the crtcrpc JSON listener. This allows a remote attacker on the local network to inject shell metacharacters into /usr/lib/lua/5.1/luci/controller/rpc.lua, resulting in remote code execution as root.

Recommendations For Verizon 5G Home LVSKIHP OutDoorUnit (ODU) version 3.33.101.0, consider disabling the crtcsimprofile function of the crtcrpc JSON listener as a temporary workaround until a patch is available. Restrict access to the /usr/lib/lua/5.1/luci/controller/rpc.lua file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.