Vulnerability Description
Verizon 5G Home LVSKIHP outside devices through 2022-02-15 allow anyone (knowing the device's serial number) to access a CPE admin website, e.g., at the 10.0.0.1 IP address. The password (for the verizon username) is calculated by concatenating the serial number and the model (i.e., the LVSKIHP string), running the sha256sum program, and extracting the first seven characters concatenated with the last seven characters of that SHA-256 value.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Verizon | Lvskihp Firmware | <= 2022-02-15 |
| Verizon | Lvskihp | - |
Related Weaknesses (CWE)
References
- https://github.com/JousterL/SecWriteups/blob/main/Verizon%20LVSKIHP%205G%20ModemExploitThird Party Advisory
- https://www.reddit.com/r/verizon/comments/sstq4c/5g_home_internet_dropping_out/hThird Party Advisory
- https://github.com/JousterL/SecWriteups/blob/main/Verizon%20LVSKIHP%205G%20ModemExploitThird Party Advisory
- https://www.reddit.com/r/verizon/comments/sstq4c/5g_home_internet_dropping_out/hThird Party Advisory
FAQ
What is CVE-2022-28376?
CVE-2022-28376 is a vulnerability with a CVSS score of 8.1 (HIGH). Verizon 5G Home LVSKIHP outside devices through 2022-02-15 allow anyone (knowing the device's serial number) to access a CPE admin website, e.g., at the 10.0.0.1 IP address. The password (for the veri...
How severe is CVE-2022-28376?
CVE-2022-28376 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-28376?
Check the references section above for vendor advisories and patch information. Affected products include: Verizon Lvskihp Firmware, Verizon Lvskihp.