CVE-2023-25649
OS Command Injection Vulnerability in a Mobile Internet Product of ZTE
In short
A ZTE mobile internet device has a flaw where an authenticated attacker can inject and run arbitrary commands through an improperly validated interface, bypassing normal restrictions.
Technical detail
CWE-77 OS command injection in the SET_DEVICE_LED interface allows authenticated attackers to execute arbitrary system commands due to insufficient input validation on interface parameters. Exploitation requires prior authentication but enables complete command execution with device privileges.
Summary generated and translated by AI from the official description.
There is a command injection vulnerability in a mobile internet product of ZTE. Due to insufficient validation of SET_DEVICE_LED interface parameter, an authenticated attacker could use the vulnerability to execute arbitrary commands.
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
ZTE · MF286RWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →