CVE-2022-39066

HIGH

ZTE MF286R - SQL Injection

Title source: llm

Description

There is a SQL injection vulnerability in ZTE MF286R. Due to insufficient validation of the input parameters of the phonebook interface, an authenticated attacker could use the vulnerability to execute arbitrary SQL injection.

Exploits (1)

nomisec WORKING POC 11 stars

by v0lp3 · poc

https://github.com/v0lp3/CVE-2022-39066

View Code ZIP pw:eip

References (1)

Core 1

Core References

Vendor Advisory

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1027744

Scores

CVSS v3 8.8

EPSS 0.5108

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (1)

zte/mf286r_firmware < mf286r_b07

Published Nov 22, 2022

Tracked Since Feb 18, 2026