VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 16, 2018· Updated Aug 5, 2024

CVE-2018-7360

CVE-2018-7360

Description

Unauthenticated attacker on adjacent network can retrieve GPON serial number from ZTE ZXHN F670 routers via the appviahttp service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated attacker on adjacent network can retrieve GPON serial number from ZTE ZXHN F670 routers via the appviahttp service.

Vulnerability

The ZTE ZXHN F670 router (all versions up to V1.1.10P3T18) exposes the GPON serial number (GPON SN) through the appviahttp service without requiring authentication. This information exposure vulnerability allows an unauthenticated attacker to retrieve the device's unique GPON identifier.

Exploitation

An attacker must be on the same local network as the target device (adjacent network, CVSS vector AV:A). No authentication or user interaction is required. The attacker sends a crafted request to the appviahttp service, which responds with the GPON SN.

Impact

Successful exploitation discloses the GPON serial number, a device-specific identifier. While the immediate impact is information disclosure, the CVSS score of 9.6 (Critical) suggests potential for broader compromise, though the available references only confirm exposure of the GPON SN [1].

Mitigation

ZTE released firmware version V1.1.10P3T22 to resolve this vulnerability. Users should upgrade their ZXHN F670 routers to this version or later. No workarounds are documented in the advisory [1].

References
  1. Security Bulletin Details

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Zte/ZXHN F670llm-fuzzy2 versions
    <= V1.1.10P3T18+ 1 more
    • (no CPE)range: <= V1.1.10P3T18
    • (no CPE)range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.