CVE-2021-21726

Vulnerability

An input verification vulnerability exists in the diagnostic function interface of certain ZTE ZXONE products. The flaw stems from insufficient validation of user-supplied parameters, enabling an attacker with high privileges to trigger process exceptions by repeatedly sending illegal inputs. Affected products and versions include ZXONE 9700 and ZXONE 8700 running V1.40.021.021CP049, and ZXONE 19700 running V1.0P02B219_@NCPM-RELEASE_2.40R1-20200914.set [1].

Exploitation

An attacker must already possess high privileges on the affected device. Exploitation involves repeatedly inputting illegal parameters into the diagnostic interface. No user interaction or network access beyond the local management interface is required; the attack vector is local with high attack complexity due to the privilege requirement [1].

Impact

Successful exploitation leads to a process exception, resulting in a denial of service condition affecting availability. The CVSS v3.1 base score is 1.9 (Low), with no impact on confidentiality or integrity [1]. The scope remains unchanged.

Mitigation

ZTE has released fixed versions: for ZXONE 9700 and 8700, upgrade to V1.40.040.100_M2SNPE; for ZXONE 19700, upgrade to V1.0P02B224_@NCPM-RELEASE_2.40R1-20201208.set or V1.0P02B224C16_@NCPM.set [1]. No workarounds are documented. The vulnerability was discovered internally and disclosed on March 10, 2021.