CVE-2017-10934
CRITICALZTE ZXIPTV-EPG Firmware < 5.09.02.02t4 - Unauthenticated Remote Code Execution via Java RMI Deserialization
Title source: llmDescription
All versions prior to V5.09.02.02T4 of the ZTE ZXIPTV-EPG product use the Java RMI service in which the servers use the Apache Commons Collections (ACC) library that may result in Java deserialization vulnerabilities. An unauthenticated remote attacker can exploit the vulnerabilities by sending a crafted RMI request to execute arbitrary code on the target host.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1008682
Scores
CVSS v3
9.8
EPSS
0.0709
EPSS Percentile
91.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (1)
zte/zxiptv-epg_firmware
< 5.09.02.02t4
Published
Jul 25, 2018
Tracked Since
Feb 18, 2026