CVE-2017-10930
Description
Pre-v3.00.40 ZXR10 routers let unauthenticated users download configuration files, exposing admin credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pre-v3.00.40 ZXR10 routers let unauthenticated users download configuration files, exposing admin credentials.
Vulnerability
An improper access control vulnerability exists in ZTE ZXR10 1800-2S, 2800-4, 3800-8, and 160 devices running software versions prior to v3.00.40 [1]. The web interface does not properly restrict access to configuration file downloads, allowing any user—even without authentication—to retrieve sensitive device data [1].
Exploitation
An attacker with network access to the affected device's web interface can directly download configuration files without any authentication or user interaction [1]. The vulnerability is exploitable remotely over the network, requiring no special privileges or prior access [1].
Impact
Successful exploitation yields the device's configuration, which includes administrator account names and plaintext passwords [1]. This information can then be used to gain full administrative control over the router, leading to complete compromise of confidentiality, integrity, and availability [1].
Mitigation
ZTE released v3.00.40 to address this vulnerability [1]. Users should upgrade to v3.00.40 or later. As a workaround, disable the web configuration interface and manage the device exclusively through CLI commands [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<3.00.40+ 1 more
- (no CPE)range: <3.00.40
- (no CPE)range: All versions prior to V3.00.40
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- support.zte.com.cn/support/news/LoopholeInfoDetail.aspxnvdPermissions Required
News mentions
0No linked articles in our index yet.