CVE-2014-2946

Huawei WebUI 11.010.06.01.858 - Cross-Site Request Forgery via SMS API

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2946. PoCs published by Benjamin Daniel Mussler.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in Huawei E303 routers, allowing unauthorized SMS sending via a crafted HTTP POST request. The PoC includes a sample XML payload to trigger the vulnerability.

Description

Cross-site request forgery (CSRF) vulnerability in api/sms/send-sms in the Web UI 11.010.06.01.858 on Huawei E303 modems with software 22.157.18.00.858 allows remote attackers to hijack the authentication of administrators for requests that perform API operations and send SMS messages via a request element in an XML document.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Benjamin Daniel Mussler · textremotehardware
https://www.exploit-db.com/exploits/39209

This exploit demonstrates a CSRF vulnerability in Huawei E303 routers, allowing unauthorized SMS sending via a crafted HTTP POST request. The PoC includes a sample XML payload to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Huawei E303 Router (firmware CH2E303SM)
No auth needed
Prerequisites: Victim must visit a malicious page or follow a crafted link
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/325636
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/58992

Scores

EPSS 0.0108
EPSS Percentile 60.7%

Details

CWE
CWE-352
Status published
Products (3)
huawei/e303_modem ch2e303sm
huawei/e303_modem_firmware 22.157.18.00.858
huawei/webui 11.010.06.01.858
Published Jun 02, 2014
Tracked Since Feb 18, 2026