Statement of Vulnerability in ZTE ZXDSL 831CII Unauthorized Configuration Access

Original release date: 29 November 2017

 

CVE ID

CVE-2017-16953

 

Statement

ZTE ZXDSL 831CII V6.2 is vulnerable to remote root command execution due to its lacking of authorization control for the configuration access.

As 831CII V6.2 was end of sale and service in 2011, and its replacement version 831CII V2.0 was also end of sale and service in March 2015, we strongly recommend users to choose the replacement version H108N V2.5.

 

Credit

An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

We also would like to thank Ibad Shah for reporting the similar issue to ZTE PSIRT.

 

References

https://www.exploit-db.com/exploits/43188/

http://toutiao.secjia.com/zxdsl-831-uca-cve-2017-16953

http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1006805

http://support.zte.com.cn/support/news/NewsDetail.aspx?newsId=1006384

 

Update Records

29 November 2017, initial.

 

Supporting team contacts

1.  ZTE GCSC hotline:

0755-26770800

800-830-1118

400-830-1118

2.  Product forum at ZTE Support website.

 

ZTE PSIRT

If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.

[Close]