CVE-2015-7259

high-risk

Published 2017-08-24

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid username and password pairs, which allows remote authenticated users to login to a target account via any of its username and password pairs.

Do I need to act?

33.3% chance of exploitation in next 30 days

EPSS score — higher than 67% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

38772

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (2)

Zxv10 W300 Firmware

Affected Vendors

Zte

References (8)

Third Party Advisory http://packetstormsecurity.com/files/134336/ZTE-ADSL-Authorization-Bypass-Inform...

Third Party Advisory http://packetstormsecurity.com/files/134493/ZTE-ADSL-ZXV10-W300-Authorization-Di...

Mailing List http://seclists.org/fulldisclosure/2015/Nov/48

Third Party Advisory https://www.exploit-db.com/exploits/38772/

Third Party Advisory http://packetstormsecurity.com/files/134336/ZTE-ADSL-Authorization-Bypass-Inform...

Third Party Advisory http://packetstormsecurity.com/files/134493/ZTE-ADSL-ZXV10-W300-Authorization-Di...

Mailing List http://seclists.org/fulldisclosure/2015/Nov/48

Third Party Advisory https://www.exploit-db.com/exploits/38772/

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 16/34 · Moderate

Exposure 7/34 · Low