CVE-2023-25651

MEDIUM EXPLOITED

ZTE MF833U1 and MF286R Firmware - Authenticated SQL Injection via SMS Interface Parameter

Title source: llm

Exploitation Summary

CVE-2023-25651 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak.

References (1)

Core 1

Core References

Vendor Advisory

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032684

Scores

CVSS v3 4.3

EPSS 0.0004

EPSS Percentile 13.7%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Details

VulnCheck KEV 2024-09-19

CWE

CWE-20 CWE-89

Status published

Products (2)

zte/mf286r_firmware cr_lvwrgbmf286rv1.0.0b04

zte/mf833u1_firmware bd_mf833u1v1.0.0b01

Published Dec 14, 2023

Tracked Since Feb 18, 2026