Vulnerability Description
Improper physical access control and use of hard-coded credentials in /etc/passwd permits an attacker with physical access to obtain a root shell via an unprotected UART port on the device. The same port exposes an unauthenticated Das U-Boot BIOS shell.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Phicomm | K2 Firmware | <= 22.5.9.163 |
| Phicomm | K2 | - |
| Phicomm | K3 Firmware | <= 21.5.37.246 |
| Phicomm | K3 | - |
| Phicomm | K3C Firmware | <= 32.1.15.93 |
| Phicomm | K3C | - |
| Phicomm | K2G Firmware | <= 22.6.3.20 |
| Phicomm | K2G | - |
| Phicomm | K2P Firmware | <= 20.4.1.7 |
| Phicomm | K2P | - |
Related Weaknesses (CWE)
References
- https://www.tenable.com/security/research/tra-2022-01ExploitThird Party Advisory
- https://www.tenable.com/security/research/tra-2022-01ExploitThird Party Advisory
FAQ
What is CVE-2022-25213?
CVE-2022-25213 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Improper physical access control and use of hard-coded credentials in /etc/passwd permits an attacker with physical access to obtain a root shell via an unprotected UART port on the device. The same p...
How severe is CVE-2022-25213?
CVE-2022-25213 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25213?
Check the references section above for vendor advisories and patch information. Affected products include: Phicomm K2 Firmware, Phicomm K2, Phicomm K3 Firmware, Phicomm K3, Phicomm K3C Firmware.