VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 16, 2018· Updated Aug 5, 2024

CVE-2018-7363

CVE-2018-7363

Description

All ZXHN F670 V1.0 versions up to V1.1.10P3T18 lack authorization delay in appviahttp, enabling brute-force credential attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

All ZXHN F670 V1.0 versions up to V1.1.10P3T18 lack authorization delay in appviahttp, enabling brute-force credential attacks.

Vulnerability

The improper authorization vulnerability affects all versions up to V1.1.10P3T18 of the ZTE ZXHN F670 V1.0 product. The appviahttp service lacks any authorization delay, which allows an attacker to repeatedly attempt authentication without throttling [1].

Exploitation

An attacker needs network access to the device (adjacent network, CVSS 3.0 vector AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). No authentication is required. The attacker can brute force account credentials by sending multiple login requests to the appviahttp service without encountering any delay or lockout mechanism [1].

Impact

Successful exploitation results in limited information disclosure (confidentiality impact: low). The attacker can obtain valid credentials, potentially gaining unauthorized access to the device's administrative functions [1].

Mitigation

ZTE has released the fix in version V1.1.10P3T22 for ZXHN F670 V1.0. Users should upgrade their firmware to this version or later. If upgrading is not immediately possible, restrict network access to the device's management interface [1].

References
  1. Security Bulletin Details

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Zte/ZXHN F670llm-fuzzy2 versions
    <=V1.1.10P3T18+ 1 more
    • (no CPE)range: <=V1.1.10P3T18
    • (no CPE)range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.