Remote code execution in LG mobile devices with Android OS
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-12753 |
| CWE-ID | CWE-74 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Google Android Operating systems & Components / Operating system LG DH50 Mobile applications / Mobile firmware & hardware LG DH5 Mobile applications / Mobile firmware & hardware LG DH40 Mobile applications / Mobile firmware & hardware LG DH35 Mobile applications / Mobile firmware & hardware LG DH30 Mobile applications / Mobile firmware & hardware LG DH15 Mobile applications / Mobile firmware & hardware LG DH10 Mobile applications / Mobile firmware & hardware LG Q70 Mobile applications / Mobile firmware & hardware LG Q60 Mobile applications / Mobile firmware & hardware LG K50 Mobile applications / Mobile firmware & hardware LG K40 Mobile applications / Mobile firmware & hardware LG K30 Mobile applications / Mobile firmware & hardware LG K20 Mobile applications / Mobile firmware & hardware LG CV7AS Mobile applications / Mobile firmware & hardware LG CV1S Mobile applications / Mobile firmware & hardware LG CV7 Mobile applications / Mobile firmware & hardware LG CV5 Mobile applications / Mobile firmware & hardware LG CV3 Mobile applications / Mobile firmware & hardware LG CV1 Mobile applications / Mobile firmware & hardware LG X cam Mobile applications / Mobile firmware & hardware LG X500 Mobile applications / Mobile firmware & hardware LG X400 Mobile applications / Mobile firmware & hardware LG X300 Mobile applications / Mobile firmware & hardware LG Q8 Mobile applications / Mobile firmware & hardware LG Q6 Mobile applications / Mobile firmware & hardware LG V60 Mobile applications / Mobile firmware & hardware LG V50 Mobile applications / Mobile firmware & hardware LG V40 Mobile applications / Mobile firmware & hardware LG V35 Mobile applications / Mobile firmware & hardware LG V30 Mobile applications / Mobile firmware & hardware LG V20 Mobile applications / Mobile firmware & hardware LG G8 Mobile applications / Mobile firmware & hardware LG G7 Mobile applications / Mobile firmware & hardware LG G6 Mobile applications / Mobile firmware & hardware |
| Vendor |
Google LG Electronics |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Improper Neutralization of Special Elements in Output Used by a Downstream Component
EUVDB-ID: #VU28535
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2020-12753
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to improper validation of input in the bootloader. A remote attacker can execute arbitrary code on the system.
Note: The LG ID is LVE-SMP-200006
MitigationInstall updates from vendor's website.
Vulnerable software versionsGoogle Android: 7.2 - 10
LG DH50: All versions
LG DH5: All versions
LG DH40: All versions
LG DH35: All versions
LG DH30: All versions
LG DH15: All versions
LG DH10: All versions
LG Q70: All versions
LG Q60: All versions
LG K50: All versions
LG K40: All versions
LG K30: All versions
LG K20: All versions
LG CV7AS: All versions
LG CV1S: All versions
LG CV7: All versions
LG CV5: All versions
LG CV3: All versions
LG CV1: All versions
LG X cam: All versions
LG X500: All versions
LG X400: All versions
LG X300: All versions
LG Q8: All versions
LG Q6: All versions
LG V60: All versions
LG V50: All versions
LG V40: All versions
LG V35: All versions
LG V30: All versions
LG V20: All versions
LG G8: All versions
LG G7: All versions
LG G6: All versions
CPE2.3- cpe:2.3:o:google:android:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_dh50:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_dh5:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_dh40:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_dh35:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_dh30:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_dh15:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_dh10:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_q70:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_q60:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_k50:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_k40:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_k30:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_k20:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_cv7as:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_cv1s:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_cv7:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_cv5:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_cv3:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_cv1:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_x_cam:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_x500:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_x400:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_x300:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_q8:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_q6:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_v60:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_v50:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_v40:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_v35:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_v30:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_v20:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_g8:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_g7:*:*:*:*:*:*:*:*
- cpe:2.3:a:lg_electronics:lg_g6:*:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
