|
Original release date: August 30, 2021 CVE ID CVE-2021-21741 CVSS 3.1 Base Score 8.1 High(AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L) Description A conference management system of ZTE is impacted by a command execution vulnerability. Since the soapmonitor's java object service is enabled by default, the attacker could exploit this vulnerability to execute arbitrary commands by sending a deserialized payload to port 5001. Affected Products and Fixes Product Name | Affected Versions | Resolved Version | ZXV10 M910 | ZXV10 M910 V1.2.21.01.04P01 ZXV10 M910 V1.2.20.01U01.01 ZXV10 M910 V1.2.19.01U01.01 ZXV10 M910 V1.2.16.01U01.01 | ZXV10 M910 V1.2.23.01 |
Acknowledgement Thanks to China National Vulnerability Database (CNVD) for reporting the security vulnerabilities to ZTE PSIRT. Update Records August 30, 2021, initial. Supporting team contacts 1. ZTE GCSC hotline: 0755-26770800 800-830-1118 400-830-1118 2. Product forum at ZTE Support website. ZTE PSIRT If you need to report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.
|