CVE-2022-39066

HIGH

ZTE MF286R < mf286r_b07 - Authenticated SQL Injection via Phonebook Interface

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-39066. PoCs published by v0lp3.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2022-39066, a SQL injection vulnerability in ZTE routers. The exploit leverages the PHONE_BLOCK_ADD handler to inject malicious SQL queries, allowing file creation and data manipulation.

Description

There is a SQL injection vulnerability in ZTE MF286R. Due to insufficient validation of the input parameters of the phonebook interface, an authenticated attacker could use the vulnerability to execute arbitrary SQL injection.

Exploits (1)

nomisec WORKING POC 11 stars
by v0lp3 · poc
https://github.com/v0lp3/CVE-2022-39066

This repository contains a functional exploit for CVE-2022-39066, a SQL injection vulnerability in ZTE routers. The exploit leverages the PHONE_BLOCK_ADD handler to inject malicious SQL queries, allowing file creation and data manipulation.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ZTE routers with firmware BD_POSTEMF286RMODULEV1.0.0B12 and CR_ITPOSTEMF286RV1.0.0B10
Auth required
Prerequisites: Admin credentials for the target router · Network access to the router's web interface
mistral-large-3 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 8.8
EPSS 0.2654
EPSS Percentile 97.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (1)
zte/mf286r_firmware < mf286r_b07
Published Nov 22, 2022
Tracked Since Feb 18, 2026