Command Injection Vulnerability in ZTE MF286R

Initial Release Date:  December 25, 2022

 

Vulnerability ID

CVE IDCVE-2022-39073        CNNVD IDCNNVD-2022-94899914

 

CVSS 3.1 Base Score 

6.8 MediumAV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

 

Description 

There is a command injection vulnerability in ZTE MF286R, Due to insufficient validation of the input parameters, an attacker could use the vulnerability to execute arbitrary commands.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

MF286R

Nordic_MF286R_B06

Nordic_MF286R_B07

  

Acknowledgement

ZTE thanks Andrea Maugeri for paying attention to our products and cooperating with us to disclose vulnerabilities.

 

Update Records

December 25, 2022, initial.

 

Version Update Method

A device that supports automatic update can receive a pop-up update message. You can upgrade the device accordingly. If no update message is received, contact your service provider to obtain the update information.

 

Global Customer Support Center

http://support.zte.com.cn/support/web/Contact.aspx?_langType=en

 

ZTE PSIRT

https://www.zte.com.cn/global/cybersecurity/ztepsirt.html

[Close]