VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 25, 2018· Updated Sep 16, 2024

CVE-2017-10935

CVE-2017-10935

Description

Authenticated users can bypass password verification and change other users' passwords on ZTE ZXR10 1800-2S before ZSRV2 V3.00.40.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated users can bypass password verification and change other users' passwords on ZTE ZXR10 1800-2S before ZSRV2 V3.00.40.

Vulnerability

The vulnerability exists in ZTE ZXR10 1800-2S products running versions prior to ZSRV2 V3.00.40. It allows remote authenticated users to bypass the original password authentication protection when changing another user's password. No special configuration is required to reach the affected code path. [1]

Exploitation

An attacker must have valid credentials to authenticate to the device remotely. Once authenticated, they can change the password of any other user without providing the current password. The attack requires no user interaction and can be performed over the network. [1]

Impact

Successful exploitation leads to unauthorized modification of other users' passwords. This can result in privilege escalation, denial of service (by locking out legitimate users), or complete compromise of the targeted accounts. The attacker gains the ability to impersonate other users and access their privileges. [1]

Mitigation

ZTE has addressed this issue in firmware version ZSRV2 V3.00.40. Users should upgrade to this version or later. The fix involves adding strict authentication functions on the server side. No workarounds are documented in the available reference. [1]

References
  1. Security Bulletin Details

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Zte/ZXR10 1800-2Sllm-fuzzy2 versions
    <3.00.40+ 1 more
    • (no CPE)range: <3.00.40
    • (no CPE)range: All versions prior to ZSRV2 V3.00.40

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.