Two Vulnerabilities in Some ZTE Mobile Internet Products

Initial Release Date:  August 24, 2023

 

Vulnerability ID

Vulnerability 1: CVE ID: CVE-2023-25642   CNNVD-ID: CNNVD-2023-07593891 

Vulnerability 2: CVE ID: CVE-2023-25643   CNNVD-ID: CNNVD-2023-33629346

 

 

CVSS 3.1 Base Score 

Vulnerability 1: 5.9 Medium (AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)

Vulnerability 2: 8.4 High (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

 

Description 

Vulnerability 1: There is a buffer overflow vulnerability in some ZTE mobile internet producsts. Due to insufficient validation of tcp port parameter, an authenticated attacker could use the vulnerability to perform a denial of service attack. 

Vulnerability 2: There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

MC801A

MC801A_Elisa3_B19

MC801A_Elisa3_B22

MC801A1

MC801A1_Elisa1_B04

MC801A1_Elisa1_B06

 


Acknowledgement
 

ZTE thanks Baptiste MOINE (Creased) and Romain KRAFT (Areizen)  for paying attention to our products and cooperating with us to disclose vulnerabilites.

 

Update Records

August 24, 2023, initial.

 

Version Update Method

A device that supports automatic update can receive a pop-up update message. You can upgrade the device accordingly. If no update message is received, contact your service provider to obtain the update information.

 

Global Customer Support Center

http://support.zte.com.cn/support/web/Contact.aspx?_langType=en

 

ZTE PSIRT

https://www.zte.com.cn/global/cybersecurity/ztepsirt.html

[Close]