CVE-2022-40021

SUMMARY

The following vulnerability were found in QVidium Technologies Amino A140.

CVE-2022-40021

Old versions of the QVidium Technologies Amino A140 set-top decoder contain a command injection vulnerability in the web management interface.

IMPACT

Access Vector:Local Network Exploitable
Access Complexity:Low
Authentication:Not required to exploit
Impact Type:Allows remote code execution, Allows disruption of service
Privilege Level:root

AFFECTED PRODUCTS

QVidium Technologies Amino A140 (QVAM140)

SOFTWARE FIXES

The QVidium Technologies Amino A140 is a now an unsupported product. More recent versions of the product with updated firmware can be found at https://www.qvidium.com/QVDEC.html.

If you are unable to obtain the latest officially supported product, it is recommended that you block access to the web management ports on the device.

TIMELINE

8.31.2022

Report to Vendor

9.2.2022

Vendor acknowledges vulnerability in unsupported device

9.22.2022

CVE assigned by MITRE

10.11.2022

Vendor approves of disclosure details

2.10.2023

Public disclosure

REFERNCES

https://www.qvidium.com/QVDEC.html