CVE-2021-21725

Vulnerability

CVE-2021-21725 is an information leak vulnerability in the ZTE ZXHN H196Q router running firmware version V9.1.0C2. The bug allows an attacker with higher authority to bypass authority restrictions and access files in other directories by performing specific operations [1]. The vulnerability has been addressed in the resolved version V9.1.0C3 [1].

Exploitation

Exploitation requires the attacker to have higher authority (e.g., administrative privileges) on the device and to perform specific operations, though the exact sequence is not publicly detailed. The attacker must be on the adjacent network (AV:A) and have low privileges (PR:L), with no user interaction needed (UI:N). The attack complexity is high (AC:H) [1].

Impact

Successful exploitation results in unauthorized access to files in other directories, leading to information disclosure. The confidentiality impact is rated high (C:H), while integrity and availability are not affected [1].

Mitigation

ZTE has released the fixed firmware version V9.1.0C3 for the ZXHN H196Q. Users should upgrade to this version to mitigate the vulnerability [1]. No workarounds have been published. The vulnerability is not listed on the CISA KEV.