Vulnerability Details : CVE-2019-3422
The Sec Consult Security Lab reported an information disclosure vulnerability in MF910S product to ZTE PSIRT in October 2019. Through the analysis of related product team, the information disclosure vulnerability is confirmed. The MF910S product's one-click upgrade tool can obtain the Telnet remote login password in the reverse way. If Telnet is opened, the attacker can remotely log in to the device through the cracked password, resulting in information leakage. The MF910S was end of service on October 23, 2019, ZTE recommends users to choose new products for the purpose of better security.
Vulnerability category: Information leak
Products affected by CVE-2019-3422
- cpe:2.3:o:zte:mf910s_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-3422
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 19 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-3422
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
1.9
|
LOW | AV:L/AC:M/Au:N/C:P/I:N/A:N |
3.4
|
2.9
|
NIST | |
|
6.2
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.5
|
3.6
|
NIST |
CWE ids for CVE-2019-3422
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-3422
-
http://packetstormsecurity.com/files/158990/ZTE-Mobile-Hotspot-MS910S-Backdoor-Hardcoded-Password.html
ZTE Mobile Hotspot MS910S Backdoor / Hardcoded Password ≈ Packet Storm
-
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1011722
Security Bulletin DetailsVendor Advisory
-
http://seclists.org/fulldisclosure/2020/Aug/20
Full Disclosure: SEC Consult SA-20200827-0 :: Multiple Vulnerabilities in ZTE mobile Hotspot MS910S
Jump to