Unauthorized Access Vulnerability in ZTE ZXDSL 831CII Device
CVE-2017-16953

7.5HIGH

Key Information:

Vendor: Zte
Status: Zxdsl 831cii Firmware
Vendor: CVE Published:; 1 December 2017

What is CVE-2017-16953?

The connoppp.cgi script on ZTE ZXDSL 831CII devices fails to enforce HTTP Basic Authentication, enabling remote attackers to execute unauthorized modifications to the PPPoE configuration. This critical oversight permits the exploitation of the device's configuration settings through a simple GET request, potentially resulting in malicious configuration changes.

References

https://www.exploit-db.com/exploits/43188/

exploitx_refsource_EXPLOIT-DB

http://packetstormsecurity.com/files/145121/ZTE-ZXDSL-831...

x_refsource_MISC

http://support.zte.com.cn/support/news/LoopholeInfoDetail...

x_refsource_CONFIRM

EPSS Score

27% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 1, 2017
Vulnerability Reserved
Nov 26, 2017

Zte

What is CVE-2017-16953?

References

EPSS Score

CVSS V3.1

Timeline