Statement of Vulnerabilities in ZTE MF910 and MF65+ Products

Original release date: 20 February 2019



Security researcher Takeshi reported a command injection vulnerability of MF910 and MF65+ products, and a authentication bypass vulnerability of MF910 product to ZTE PSIRT in February 2019.

Through the analysis of related product team, the command injection vulnerability confirmed exist in MF910 and MF65+ products, due to insufficient parameter validation check, an attacker could exploit this vulnerability to execute arbitrary commands. The authentication bypass vulnerability confirmed exist in MF910 product, an attacker could exploit this vulnerability to extract device authentication information before authentication.

MF910 and MF65+ were end of service on September 27, 2017, and the vulnerabilities were fixed in the substitute products MF920 and MF65M2. ZTE recommends you to choose substitute products for the purpose of better security.



Thanks to security researcher Takeshi for reporting the security vulnerabilities to ZTE PSIRT.


Update Records

 20 February 2019, initial.


Supporting team contacts

1.  ZTE GCSC hotline:




2.  Product forum at ZTE Support website.



If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT:, PGP key ID: FF095577.