CVE-2021-21734

Vulnerability

ZTE PON MDU devices (ZXA10 F821 V1.7.0P3T22, F822 V1.4.3T6, F819 V1.2.1T5, F832 V1.1.1T7, F839 V1.1.0T8, F809 V3.2.1T1, F822P V1.1.1T7, and F832 V2.00.00.01) store sensitive information in plaintext. An authenticated user can retrieve this information by executing a specific command on the device [1].

Exploitation

An attacker must have network access to the affected device and possess valid login credentials (user-level privilege). No additional user interaction is required. After authenticating, the attacker inputs the command to retrieve the plaintext sensitive information.

Impact

Successful exploitation results in disclosure of sensitive information (e.g., passwords or cryptographic keys) stored in plaintext. This compromises confidentiality but does not affect integrity or availability. The disclosed information may enable further attacks against the device or network.

Mitigation

ZTE has released fixed versions for all affected products: ZXA10 F821 V1.7.0P3T25, F822 V1.4.4T2, F819 V1.2.1T6, F832 V1.1.1T8, F839 V1.1.0T9, F809 V3.2.1T2, F822P V1.1.1T8, and F832 V2.00.00.02 [1]. Users should upgrade to these versions. No workaround is documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.