CVE-2018-7355

MEDIUM

ZTE MF65 and MF65M1 Firmware < 1.0.0b05 - Cross-Site Scripting

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-7355. PoCs published by Nathu Nandwani.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in ZTE MF65 firmware BD_HDV6MF65V1.0.0B05. The 'cmd' parameter in the '/goform_get_cmd_process' endpoint is not sanitized, allowing arbitrary HTML or JavaScript injection.

Description

All versions up to V1.0.0B05 of ZTE MF65 and all versions up to V1.0.0B02 of ZTE MF65M1 are impacted by cross-site scripting vulnerability. Due to improper neutralization of input during web page generation, an attacker could exploit this vulnerability to conduct reflected XSS or HTML injection attacks on the devices.

Exploits (1)

exploitdb WORKING POC
by Nathu Nandwani · textwebappshardware
https://www.exploit-db.com/exploits/46102

This exploit demonstrates a reflected XSS vulnerability in ZTE MF65 firmware BD_HDV6MF65V1.0.0B05. The 'cmd' parameter in the '/goform_get_cmd_process' endpoint is not sanitized, allowing arbitrary HTML or JavaScript injection.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: ZTE MF65 BD_HDV6MF65V1.0.0B05
No auth needed
Prerequisites: network access to the vulnerable device
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46102/

Scores

CVSS v3 6.1
EPSS 0.0190
EPSS Percentile 77.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
zte/mf65_firmware < 1.0.0b05
zte/mf65m1_firmware < 1.0.0b02
Published Sep 26, 2018
Tracked Since Feb 18, 2026