Statement of Vulnerabilities in ZTE MF65 and MF65M1

Original release date: 10 September 2018

Update date: 27 September 2018





CVSS 3.0 Base Score

4.6 Medium(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)



Cyber Security Philippines CERT - Red Team reported two script injection vulnerabilities of MF65 V1.0.0B05 to ZTE PSIRT in July 2018. Security researcher Markclancys also reported a reflected cross-site scripting vulnerability of MF65M1 V1.0.0B02 to ZTE PSIRT in August 2018.

Through the analysis of related product teams, the script injection vulnerabilities confirmed in V1.0 versions of both MF65 and MF65M1 products. Due to incomplete input validation, the attacker can cause damage to devices by embedding malicious JS code in the URL link.

As ZTE MF65 was end of service in August 2016, and MF65M1 was also end of service in September, 2017, ZTE strongly recommend users to replace with newer UFI products for the purpose of better security.



Thanks to Cyber Security Philippines CERT - Red Team and security researcher Markclancys for reporting the security vulnerabilities to ZTE PSIRT.




Update Records

10 September 2018, initial.

27 September 2018, CVE ID assigned and Statement updated.


Supporting team contacts

1.  ZTE GCSC hotline:




2.  Product forum at ZTE Support website.



If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT:, PGP key ID: FF095577.