CVE-2018-15005
Description
The ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contains a pre-installed platform app with a package name of com.zte.zdm.sdm (versionCode=31, versionName=V5.0.3) that contains an exported broadcast receiver app component named com.zte.zdm.VdmcBroadcastReceiver that allows any app co-located on the device to programmatically initiate a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The ZTE ZMAX Champ contains a pre-installed app with an exported broadcast receiver that allows any app to trigger a factory reset without permissions, leading to data loss.
Vulnerability
The ZTE ZMAX Champ (build fingerprint ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys) includes a pre-installed platform app with package name com.zte.zdm.sdm (versionCode=31, versionName=V5.0.3). This app contains an exported broadcast receiver component named com.zte.zdm.VdmcBroadcastReceiver that can be triggered by any co-located app without requiring any permissions. The receiver initiates a factory reset of the device. This vulnerability affects the specific device and software version as identified in the advisory [1][2].
Exploitation
An attacker needs only to have any app installed on the device. The attacking app does not require any special permissions. By sending an intent to the exported broadcast receiver com.zte.zdm.VdmcBroadcastReceiver, the attacker can programmatically initiate a factory reset. No user interaction is required beyond the installation of the malicious app. The capability to perform a factory reset is not normally available to third-party apps except through Mobile Device Management (MDM) apps, but this vulnerability exposes it without restriction.
Impact
Successful exploitation results in a factory reset, which removes all user data and applications from the device. This leads to permanent loss of any data not backed up or synced externally. The impact is a denial of service and data loss, affecting the confidentiality, integrity, and availability of user data.
Mitigation
No official fix has been published by ZTE as of the disclosure date. Users should regularly back up important data and exercise caution when installing third-party apps. Mobile Device Management (MDM) solutions may be configured to block apps that attempt to use this vulnerable component. The vulnerability was identified through research presented at DEF CON 26 [1][2]. Users may consider disabling or uninstalling the pre-installed app if possible, though this may not be feasible on all devices.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: Android 6.0.1 build MMB29M 20170327.120922
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.securityfocus.com/bid/106361mitrevdb-entryx_refsource_BID
- www.kryptowire.com/portal/android-firmware-defcon-2018/mitrex_refsource_MISC
- www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.