Broken Access Control Vulnerability in Some ZTE Mobile Phones

Initial Release Date:  February 17, 2023


Vulnerability ID

CVE IDCVE-2022-23140         CNNVD IDCNNVD-2022-25909585


CVSS 3.1 Base Score 

5.0 Medium (AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L)



There is a broken access control vulnerability in some ZTE mobile phones. Due to improper permission settings after adb is connected to a mobile phone, an attacker with user permission could exploit this vulnerability for authority exceeding when using the phone.


Affected Products and Fixes

Product Name

Affected Version

Resolved Version

 Yuanhang 10

All versions up to GEN_CBN_P633S07V1.0.0B33


 Yuanhang 30

All versions up to UNI_CN_P633S08V1.0.0B19




ZTE thanks Li Zhongquan @ADLab of VenusTech for paying attention to our products and cooperating with us to disclose vulnerabilities.


Update Records

February 17, 2023, initial.


Version Update Method

A device that supports automatic update can receive a pop-up update message. You can upgrade the device accordingly. If no update message is received, contact your service provider to obtain the update information.


ZTE Mobile Phone Support Center