Permission and Access Control Vulnerability in ZXV10 XT802/ET301

Vulnerability

A permission and access control vulnerability exists in ZTE's ZXV10 XT802 and ZXV10 ET301 products. The flaw allows an attacker with common user permissions to intercept legitimate password-change requests on the terminal's web interface and illegitimately modify the administrator password. ZTE ZXV10 ET301 versions up to V3.22.11P3 (inclusive) and ZXV10 XT802 versions up to V2.24.10P1 (inclusive) are affected [1].

Exploitation

An attacker must have a valid common user account on the device's web interface to be able to log in. The attacker then needs to be in a position to intercept network requests between the terminal and the server, for example by performing a man-in-the-middle attack on the local network. By capturing and modifying the password-change request before it reaches the server, the attacker can set the administrator password to a value of their choice [1].

Impact

Successful exploitation results in the attacker gaining full administrative control of the affected ZTE terminal. This leads to a high impact on confidentiality (C:H), and low impacts on integrity and availability (I:L/A:L), as per the CVSS 3.1 score [1].

Mitigation

ZTE has released fixed firmware versions: V3.22.11P3 for the ZXV10 ET301 and V2.24.10P1 for the ZXV10 XT802. Users should contact the ZTE Global Customer Support Center to obtain the updated versions. No workaround is provided; updating to the fixed version is the recommended mitigation [1].