CVE-2024-45414

CRITICAL

ZTE Routers - Unauthenticated Stack-based Buffer Overflow in webPrivateDecrypt

Title source: llm

Description

The HTTPD binary in multiple ZTE routers has a stack-based buffer overflow vulnerability in webPrivateDecrypt function. This function is responsible for decrypting RSA encrypted ciphertext, the encrypted data is supplied base64 encoded. The decoded ciphertext is stored on the stack without checking its length. An unauthenticated attacker can get RCE as root by exploiting this vulnerability.

References (1)

Core 1

Core References

Various Sources

https://wr3nchsr.github.io/zte-multiple-routers-httpd-vulnerabilities-advisory/

Scores

CVSS v3 9.8

EPSS 0.0048

EPSS Percentile 37.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-121

Status published

Published Sep 16, 2024

Tracked Since Feb 18, 2026