CVE-2022-23142

Vulnerability

The ZXEN CG200 contains a denial-of-service vulnerability in its management web interface. An attacker can send a large number of HTTP GET requests in a short period, overwhelming the device and making the administrative webpages inaccessible. All versions up to V1.0.0P1N5_M are affected, as per the vendor's advisory [1]. The vulnerability is reachable without authentication or special configuration, as the management interface is exposed over HTTP by default.

Exploitation

An attacker needs network adjacency (CVSS attack vector Adjacent) to reach the management interface. No authentication or user interaction is required. The attacker simply crafts and transmits a high volume of HTTP GET requests in a short time window, exhausting the device's ability to respond to legitimate management traffic [1].

Impact

Successful exploitation causes a denial of service specifically for the product's management websites. The device continues to operate normally for other functions, but administrators cannot access the web-based management console. The impact is on availability only (C:N/I:N/A:H), with no data disclosure or integrity loss [1].

Mitigation

The vendor, ZTE, has released a fixed version V1.0.0P1N6_M to resolve the vulnerability. Users should contact ZTE Global Customer Support Center to obtain the upgrade [1]. No workarounds are documented in the public advisory. The product is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.