CVE-2022-29730

Vulnerability

The USR IOT 4G LTE Industrial Cellular VPN Router running firmware version 1.0.36 contains hard-coded credentials for the highest privileged account (root). These credentials are embedded in the firmware and cannot be altered through normal device operation. [2]

Exploitation

An attacker with network access to the router can authenticate using the hard-coded credentials against services such as SSH or the web management interface. No additional authentication bypass is required. The credentials are static and widely accessible. [2]

Impact

Successful exploitation grants the attacker full administrative control over the router, enabling complete compromise of confidentiality (access to network traffic, configuration data), integrity (modify settings, install malicious firmware), and availability (disrupt device operation). [2]

Mitigation

As of the publication date (2022-05-27), no official firmware update addressing the hard-coded credentials has been released. Users should restrict network access to the device and monitor for vendor updates. The credentials cannot be changed via normal administration. [2]