CVE-2018-15006
Description
The ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contains a pre-installed platform app with a package name of com.android.zte.hiddenmenu (versionCode=23, versionName=6.0.1) that contains an exported broadcast receiver app component named com.android.zte.hiddenmenu.CommandReceiver that is accessible to any app co-located on the device. This app component, when it receives a broadcast intent with a certain action string, will write a non-standard (i.e., not defined in Android Open Source Project (AOSP) code) command to the /cache/recovery/command file to be executed in recovery mode. Once the device boots into recovery mode, it will crash, boot into recovery mode, and crash again. This crash loop will keep repeating, which makes the device unusable. There is no way to boot into an alternate mode once the crash loop starts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The ZTE ZMAX Champ (Z917VL) contains a pre-installed app with an exported broadcast receiver that can be abused to cause a persistent boot-loop, rendering the device unusable.
Vulnerability
The ZTE ZMAX Champ Android device (build fingerprint ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys) ships with a pre-installed platform app com.android.zte.hiddenmenu (versionCode=23, versionName=6.0.1). This app exposes an exported broadcast receiver component com.android.zte.hiddenmenu.CommandReceiver that is accessible to any other app co-located on the device. When triggered with a specific action string, the receiver writes a non-standard (not defined in AOSP) command to the /cache/recovery/command file. This command is executed upon entering recovery mode, leading to a crash, which causes the device to repeatedly boot into recovery mode and crash again in an infinite loop. [1] [2]
Exploitation
An attacker needs only a malicious app installed on the same device (no special permissions required beyond android.permission.SEND_BROADCAST). The attacker sends a broadcast intent matching the action string expected by CommandReceiver. No user interaction beyond installing the malicious app is needed. Once the broadcast is received, the command is written, and upon the next reboot (normal or forced), the device enters the crash loop. [1] [2]
Impact
Successful exploitation results in a persistent denial of service (DoS). The device becomes unusable as it continuously crashes and reboots into recovery mode. There is no way to boot into an alternate mode once the loop starts, effectively bricking the device for normal use. Data on the device remains intact but inaccessible during the loop. [1] [2]
Mitigation
As of the publication date (2018-12-28), no official patch or firmware update from ZTE was confirmed. The references do not list a fixed version. Users are advised to avoid installing untrusted apps and to disable the com.android.zte.hiddenmenu package if possible via adb shell pm disable or a root-level solution. The device is EOL and no longer receives updates. There is no known KEV listing. [1] [2]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <= 20170327.120922 (Android MMB29M, Z917VL)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.securityfocus.com/bid/106361mitrevdb-entryx_refsource_BID
- www.kryptowire.com/portal/android-firmware-defcon-2018/mitrex_refsource_MISC
- www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.