SecuriTricks - CVE-2024-22066

Description

There is a privilege escalation vulnerability in ZTE ZXR10 ZSR V2 intelligent multi service router . An authenticated attacker could use the vulnerability to obtain sensitive information about the device.

Product(s) Impacted

Vendor	Product	Versions
Zte	Zxr10 1800-2s Firmware Zxr10 1800-2s Zxr10 2800-4 Firmware Zxr10 2800-4 Zxr10 3800-8 Firmware Zxr10 3800-8 Zxr10 160 Firmware Zxr10 160	* - * - * - * -

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-294

Authentication Bypass by Capture-replay

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
o	zte	zxr10_1800-2s_firmware	/	/	/	/	/	/	/	/
h	zte	zxr10_1800-2s	-	/	/	/	/	/	/	/
o	zte	zxr10_2800-4_firmware	/	/	/	/	/	/	/	/
h	zte	zxr10_2800-4	-	/	/	/	/	/	/	/
o	zte	zxr10_3800-8_firmware	/	/	/	/	/	/	/	/
h	zte	zxr10_3800-8	-	/	/	/	/	/	/	/
o	zte	zxr10_160_firmware	/	/	/	/	/	/	/	/
h	zte	zxr10_160	-	/	/	/	/	/	/	/

References

https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/1171513586716225590

CVSS Score

7.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

View Vector String

Timeline

Published: Oct. 29, 2024, 9:15 a.m.
Last Modified: Nov. 8, 2024, 2:31 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

psirt@zte.com.cn

CVE-2024-22066