CVE-2020-6875

Vulnerability

The ZTE ZXONE 19700 SNPE (running ZXONE8700V1.40R2B13_SNPE) suffers from an improper access control vulnerability [1]. The program lacks an authentication protection mechanism, making it possible for attackers to bypass access controls [1]. The affected version is specifically ZXONE8700V1.40R2B13_SNPE [1].

Exploitation

An attacker can exploit this vulnerability through brute-force attacks over the network [1]. The attacker does not need prior authentication, but due to the high complexity of a brute-force attack (CVSS AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [1]), significant effort may be required. No user interaction is needed [1].

Impact

Successful exploitation allows an attacker to gain unauthorized access rights to the affected device [1]. The primary impact is a breach of confidentiality, with high information disclosure potential, as the CVSS vector indicates confidentiality impact is HIGH while integrity and availability are not affected [1]. The scope is unchanged (the component itself is compromised) [1].

Mitigation

ZTE has released a fixed version to address this vulnerability: ZXONE8700V1.40R2B21_SNPE [1]. Affected users should upgrade to this resolved version [1]. No workaround is mentioned in the available reference [1].