Arbitrary File Download Vulnerability in ZTE ZXCLOUD iRAI

Original Release Date: September 21, 2023


Vulnerability ID

CVE ID: CVE-2023-25650                 CNNVD ID: CNNVD-2023-02977275


CVSS 3.1 Base Score

6.5 MediumAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N



There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads.


Affected Products and Fixes

Product Name

Affected Version

Resolved Version


All versions up to V7.23.23




ZTE thanks CNVD for paying attention to our products and cooperating with us to disclose vulnerabilities.


Update Records

September 21, 2023, initial.


 Version Update Method

A device that supports automatic update can receive a pop-up update message. You can upgrade the device accordingly. If no update message is received, contact your service provider to obtain the update information.


Global Customer Support Center