Command Execution Vulnerability in a ZTE Conference Management System

Original release date:  August 30, 2021

 

CVE ID

CVE-2021-21741

 

CVSS 3.1 Base Score

8.1 HighAV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L

 

Description

There is a command execution vulnerability in a ZTE conference management system. As some services are enabled by default, the attacker could exploit this vulnerability to execute arbitrary commands by sending specific serialization command.

 

Affected Products and Fixes

Product Name

Affected Versions

Resolved Version

ZXV10 MS90

ZXV10 M9000C

ZXV10 M910

 

V1.2.20.01 series and earlier versions

V1.2.21.01 and

V1.2.21.01P01-P07

 

V1.2.21.03P06

 

V1.2.22.01 series

 

V2.22.10

ZXV10 M900

V1.2.19.01 series and earlier versions

 

This product is end-of-life, we recommend users to choose the alternative product ZXV10 M910. Users can also contact ZTE Global Customer Support Center to obtain the security hardening guidebook and modify the configuration to fix the vulnerability.

Operator customers please dial 4008301118 (mobile phone) or 8008301118 (landline phone).

Government and enterprise customers please dial 4008309870 (mobile phone) or 8008309870 (landline phone).

 

Acknowledgement

Thanks to China National Vulnerability Database (CNVD) for reporting the security vulnerability to ZTE PSIRT.

 

Update Records

August 30, 2021, initial. 

May 26, 2023, updated affected products and fixes.

 

Version Update Method

Please contact ZTE Global Customer Support Center to obtain the upgraded version.

 

Global Customer Support Center

http://support.zte.com.cn/support/web/Contact.aspx?_langType=en

 

ZTE PSIRT

https://www.zte.com.cn/global/cybersecurity/ztepsirt.html