CVE-2023-25649

Summary

There is a command injection vulnerability in a mobile internet product of ZTE. Due to insufficient validation of SET_DEVICE_LED interface parameter, an authenticated attacker could use the vulnerability to execute arbitrary commands.

Affected Software

VendorProductVersion RangeStatus
ZTEMF286RCR_LVWRGBMF286RV1.0.0B04affected

Weaknesses

  • CWE-77: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References