CVE-2020-6873

Vulnerability

The vulnerability exists in the WEB/TELNET management interface of the ZTE ZXR10 2800-4_ALMPUFB(LOW) product. The firmware cannot differentiate between malicious attack packets and normal HTTP traffic, allowing an attacker to flood the modules with specially crafted packets. All versions up to and including V3.00.40 are affected [1].

Exploitation

An unauthenticated remote attacker can send crafted packets over the network to the device's management interface. No prior authentication or user interaction is required. The attacker does not need any special network position beyond standard network access to the management module [1].

Impact

Successful exploitation causes a denial of service condition in the WEB/TELNET module, resulting in the device becoming unmanageable. The availability of the management interface is compromised, though no data confidentiality or integrity impact is noted [1]. The CVSS v3.1 base score is 5.3 (Medium) [1].

Mitigation

ZTE has released firmware version V4.00.10 or later to resolve the issue. Users should upgrade the affected product ZXR10 2800-4_ALMPUFB(LOW) to this fixed version. No workarounds are documented in the available reference [1].