Broken Access Control Vulnerability in Some ZTE Mobile Phones

Initial Release Date:  February 17, 2023

 

Vulnerability ID

CVE IDCVE-2022-23140         CNNVD IDCNNVD-2022-25909585

 

CVSS 3.1 Base Score 

5.0 Medium (AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L)

 

Description 

There is a broken access control vulnerability in some ZTE mobile phones. Due to improper permission settings after adb is connected to a mobile phone, an attacker with user permission could exploit this vulnerability for authority exceeding when using the phone.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

 Yuanhang 10

All versions up to GEN_CBN_P633S07V1.0.0B33

GEN_CBN_P633S07V1.0.0B34

 Yuanhang 30

All versions up to UNI_CN_P633S08V1.0.0B19

UNI_CN_P633S08V1.0.0B20

 

Acknowledgement

ZTE thanks Li Zhongquan @ADLab of VenusTech for paying attention to our products and cooperating with us to disclose vulnerabilities.

 

Update Records

February 17, 2023, initial.

 

Version Update Method

A device that supports automatic update can receive a pop-up update message. You can upgrade the device accordingly. If no update message is received, contact your service provider to obtain the update information.

 

ZTE Mobile Phone Support Center

https://support.ztedevices.com/

 

ZTE PSIRT

https://www.zte.com.cn/global/cybersecurity/ztepsirt.html