CVE-2014-4154

ZTE ZXV10 W300 Firmware W300V1.0.0a_ZRD_LK - Unprotected Credential Exposure via tc2wanfun.js

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-4154. PoCs published by Osanda Malith Jayathissa.

AI-analyzed exploit summary This is a detailed technical writeup describing multiple vulnerabilities in ZTE WXV10 W300 routers, including default credentials, backup file disclosure, password disclosure, CSRF, and DoS. It provides PoC URLs and code snippets but does not include a full functional exploit.

Description

ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the PPPoE/PPPoA password via a direct request for basic/tc2wanfun.js.

Exploits (1)

exploitdb WRITEUP
by Osanda Malith Jayathissa · textwebappshardware
https://www.exploit-db.com/exploits/33803

This is a detailed technical writeup describing multiple vulnerabilities in ZTE WXV10 W300 routers, including default credentials, backup file disclosure, password disclosure, CSRF, and DoS. It provides PoC URLs and code snippets but does not include a full functional exploit.

Classification
Writeup 95%
Attack Type
Info Leak | Auth Bypass | Dos
Complexity
Trivial
Reliability
Reliable
Target: ZTE WXV10 W300 with firmware W300V1.0.0a_ZRD_LK
No auth needed
Prerequisites: Network access to the router's web interface
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

EPSS 0.0657
EPSS Percentile 93.0%

Details

CWE
CWE-264
Status published
Products (2)
zte/zxv10_w300
zte/zxv10_w300_firmware 1.0.0a_zrd_lk
Published Jul 16, 2014
Tracked Since Feb 18, 2026