Local File Inclusion Vulnerability in ZTE Routers' HTTPD Binary
CVE-2024-45416

Currently unrated

Key Information:

Vendor: ZTE
Status: ZTE Routers
Vendor: CVE Published:; 16 September 2024

What is CVE-2024-45416?

A local file inclusion vulnerability exists in the HTTPD binary of multiple ZTE routers, specifically in the session_init function. This flaw arises due to the lack of validation when iterating through files in the /var/lua_session directory, where session -LUA- files are stored. An attacker who manages to upload a malicious file to this directory could exploit this vulnerability, executing the file without proper checks in place, potentially leading to remote code execution with root privileges.

References

https://wr3nchsr.github.io/zte-multiple-routers-httpd-vul...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 16, 2024