Remote Code Execution Vulnerability in NR8000 Series Products

Original release date:  15 September  2017

Update date:  27 September 2017





CVSS 3.0 Base Score

9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


Affected Product

NR8000 Series


Affected Versions

All versions prior to V12.17.20



All versions prior to V12.17.20 of the ZTE Microwave NR8000 series products - NR8120, NR8120A, NR8120, NR8150, NR8250, NR8000 TR and NR8950 are the applications of C/S architecture using the Java RMI service in which the servers use the Apache Commons Collections (ACC) library that may result in Java deserialization vulnerabilities. An unauthenticated remote attacker can exploit the vulnerabilities by sending a crafted RMI request to execute arbitrary code on the target host.



Ensure that all exposed ports used by the server, including the RMI registry port, are firewalled from any untrusted IP address.



Users may upgrade or change to new versions after V12.17.20.



Thanks to Zhang Jinxin for reporting the security issues to ZTE PSIRT.



CVE-2015-6420 (

CVE-2015-4852 (

CVE-2015-7450 (

CVE-2015-8103 (


Update Records

15 September 2017, initial.

27 September 2017, CVE ID assigned.



If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT:, PGP key ID:FF095577.