CVE-2023-25643

EPSS 0.28%
Published 14.12.2023 08:15:38
Last modified 21.11.2024 07:49:51
Source psirt@zte.com.cn
Teams watchlist Login
Open Login



There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Zte ≫ Mc801a Firmware Versionmc801a_elisa3_b19

Zte ≫ Mc801a Version-

Zte ≫ Mc801a1 Firmware Versionmc801a1_elisa1_b04

Zte ≫ Mc801a1 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.28%	0.51

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
psirt@zte.com.cn	8.4	1.7	6	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032504

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-25643

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-25643

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-25643

EUVD