CVE-2018-7364

Vulnerability

The ZTE ZXIN10 product (European region) running ZXINOS-RESV1.01.43 or earlier contains an improper access control vulnerability in the devcomm daemon, which listens on 0.0.0.0:9098 and is reachable from any connected network [1][2]. The daemon processes XML commands that are Base64-encoded and prefixed with a magic value and an 8-byte length field [1]. The vulnerability stems from insufficient access control, allowing unauthenticated remote attackers to send arbitrary commands [2]. Affected versions are all up to ZXINOS-RESV1.01.43 on the ZXIN10 European platform [2][3].

Exploitation

An attacker on the same network as a vulnerable ZXIN10 node can connect to the devcomm daemon on TCP port 9098 without authentication [1]. By crafting a malicious XML payload, encoding it in Base64, and prefixing it with the required magic and length bytes, the attacker can trigger arbitrary code execution [1]. Proof-of-concept exploits demonstrate both a heap overflow that can lead to remote code execution and a direct root-level reverse shell using Python scripts [1]. No user interaction is required, and the attack does not require any prior credentials [2].

Impact

Successful exploitation grants the attacker root privileges on the target system, enabling full control over the ZXIN10 node [1][2]. The attacker can then execute arbitrary commands, install persistent backdoors, pivot to other systems on the network, manipulate passwords, run commands under any local account, execute MML commands, or cause denial of service [1]. The CVSS v3.0 base score is 8.3 (High) with a scope change, reflecting the potential compromise of resources beyond the vulnerable component [2][3].

Mitigation

ZTE released the fix in version ZXINOS-RESV1.01.44 for the ZXIN10 European region [2][3]. Operators should upgrade to this version immediately. No workarounds are documented in the public advisory [2][3]. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.