Permission and Access Control Vulnerability in ZTE H388X

Original Release Date: June 19 2024

 

 

Vulnerability ID

CVE ID: CVE-2023-25646             CNNVD ID: CNNVD-2024-88974696 

 

CVSS 3.1 Base Score

7.1 HighAV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

 

Description

There is an unauthorized access vulnerability in ZTE H388X. If H388X is caused by brute-force serial port cracking,attackers with common user permission can use this vulnerability to obtain elevated permission on the affected device by performing specific operations.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

ZXHN H388X

H388X V10.1: AGZHM_1.3.1

H388X V10.1: AGZHM_1.4.0

 

 

Acknowledgement

ZTE thanks security researchers Filippo Pitzalis (Abissi SRL) for paying attention to our products and cooperating with us to disclose vulnerability.

 

Update Records

June 19 2024, initial.

 

 Version Update Method

Please contact ZTE Global Customer Support Center to obtain the upgraded version.

 

Global Customer Support Center

http://support.zte.com.cn/support/web/Contact.aspx?_langType=en

 

ZTE PSIRT

https://www.zte.com.cn/global/cybersecurity/ztepsirt.html