CVE-2018-11629
Severity CVSS v4.0:
Pending analysis
Type:
CWE-798
Use of Hard-coded Credentials
Publication date:
02/06/2018
Last modified:
05/08/2024
Description
Default and unremovable support credentials (user:lutron password:integration) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the HomeWorks QS Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Base Score 2.0
10.00
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:lutron:stanza_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:lutron:stanza:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:lutron:radiora_2_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:lutron:radiora_2:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:lutron:homeworks_qs_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:lutron:homeworks_qs:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page