CVE-2021-21737

Vulnerability

A permission and access control vulnerability exists in the ZTE ZXV10 B860H smart STB. The issue stems from insufficient protection of a system application, allowing an attacker to tamper with the system desktop and affect system customization functions. The affected versions are V5.0, V83011303.0010, and V83011303.0016 [1]. The fixed version is V83011303.0019 [1].

Exploitation

An attacker must be on the same adjacent network as the target device and have low-privilege access (user-level authentication) to exploit this vulnerability. No user interaction is required beyond the attacker's own actions. The attacker can leverage the insufficiently protected system application to modify the desktop environment, likely by manipulating files or settings normally restricted to higher privilege levels [1].

Impact

Successful exploitation allows the attacker to tamper with the system desktop, which can impact system customization functions. The CVSS 3.1 base score is 6.8 (Medium) with a vector of AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, indicating a high impact on confidentiality (information disclosure) but no impact on integrity or availability. The scope is changed, meaning the vulnerability can affect resources beyond the original component [1].

Mitigation

ZTE has released a fixed version V83011303.0019 to address the vulnerability. Users should upgrade their ZXV10 B860H devices to this version or later. No workarounds have been published. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].