CVE-2023-25643

Two Vulnerabilities in Some ZTE Mobile Internet Products

CVSS 8.4 HIGHEPSS 1.8%CWE-77

In short

ZTE mobile internet products allow authenticated users to run unauthorized commands by injecting malicious input into network settings that aren't properly validated. This lets attackers take control of the device and perform harmful actions.

Technical detail

Command injection vulnerability in ZTE mobile internet products exploiting insufficient input validation of network parameters (CWE-77). Authenticated attacker can inject arbitrary commands through vulnerable parameters to achieve remote code execution on the affected device.

Summary generated and translated by AI from the official description.

There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands.

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected products

ZTE · MC801A ZTE · MC801A1

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032504