CVE-2023-25643

HIGH

ZTE MC801A and MC801A1 Firmware - Authenticated OS Command Injection

Title source: llm
STIX 2.1

Description

There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands.

References (1)

Core 1

Scores

CVSS v3 8.4
EPSS 0.0028
EPSS Percentile 51.4%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-77
Status published
Products (2)
zte/mc801a1_firmware mc801a1_elisa1_b04
zte/mc801a_firmware mc801a_elisa3_b19
Published Dec 14, 2023
Tracked Since Feb 18, 2026