Command Execution Vulnerability in a ZTE's Conference Management System

Original release date:  August 30, 2021

 

CVE ID

CVE-2021-21741

 

CVSS 3.1 Base Score

8.1 HighAV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L

 

Description

A conference management system of ZTE is impacted by a command execution vulnerability. Since the soapmonitor's java object service is enabled by default, the attacker could exploit this vulnerability to execute arbitrary commands by sending a deserialized payload to port 5001.

 

Affected Products and Fixes

Product Name

Affected Versions

Resolved Version

ZXV10 M910

ZXV10 M910 V1.2.21.01.04P01

ZXV10 M910 V1.2.20.01U01.01

ZXV10 M910 V1.2.19.01U01.01

ZXV10 M910 V1.2.16.01U01.01

ZXV10 M910 V1.2.23.01

 

Acknowledgement

Thanks to China National Vulnerability Database (CNVD) for reporting the security vulnerabilities to ZTE PSIRT.

 

Update Records

 August 30, 2021, initial. 

 

Supporting team contacts

1.  ZTE GCSC hotline:

0755-26770800

800-830-1118

400-830-1118

2.  Product forum at ZTE Support website. 

 

ZTE PSIRT

If you need to report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.

[Close]