Login Sign Up

CVE-2015-7251

9.8 CRITICAL

📋 TL;DR

ZTE ZXHN H108N R1A devices have a hardcoded root password 'root', allowing remote attackers to gain full administrative control via TELNET. This affects all devices before firmware version ZTE.bhs.ZXHNH108NR1A.k_PE. Attackers can completely compromise the device and potentially pivot to internal networks.

💻 Affected Systems

Products:
  • ZTE ZXHN H108N R1A
Versions: All versions before ZTE.bhs.ZXHNH108NR1A.k_PE
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: TELNET service is typically enabled by default on these devices.

📦 What is this software?

Zxhn H108n R1a Firmware by Zte

View all CVEs affecting Zxhn H108n R1a Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data exfiltration, malware deployment, and use as pivot point for internal attacks.

🟠

Likely Case

Remote attackers gain administrative access to modify configurations, intercept traffic, or disable security features.

🟢

If Mitigated

Limited impact if TELNET is disabled and strong perimeter controls prevent external access.

🌐 Internet-Facing: HIGH - Devices exposed to internet are trivially exploitable via TELNET with known credentials.
🏢 Internal Only: HIGH - Internal attackers or malware can easily exploit this to gain device control.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple TELNET connection with username 'root' and password 'root' provides full access. Exploit code is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ZTE.bhs.ZXHNH108NR1A.k_PE or later

Vendor Advisory: https://www.kb.cert.org/vuls/id/391604

Restart Required: Yes

Instructions:

1. Download latest firmware from ZTE support site. 2. Log into device web interface. 3. Navigate to firmware update section. 4. Upload and apply new firmware. 5. Reboot device.

🔧 Temporary Workarounds

Disable TELNET service

all

Prevent remote TELNET access to mitigate exploitation.

telnetd stop
disable telnet in web interface

Network access control

linux

Block TELNET port 23 at firewall to prevent external access.

iptables -A INPUT -p tcp --dport 23 -j DROP

🧯 If You Can't Patch

  • Isolate device in separate VLAN with strict access controls
  • Implement network monitoring for TELNET connections and failed login attempts

🔍 How to Verify

Check if Vulnerable:

Attempt TELNET connection to device port 23 with username 'root' and password 'root'.

Check Version:

Check web interface system info or use telnet command after login

Verify Fix Applied:

Verify firmware version is ZTE.bhs.ZXHNH108NR1A.k_PE or later in web interface, and TELNET login with 'root'/'root' fails.

📡 Detection & Monitoring

Log Indicators:

  • Successful TELNET logins from unusual IPs
  • Multiple failed TELNET attempts

Network Indicators:

  • TELNET connections to port 23
  • Traffic patterns indicating device compromise

SIEM Query:

source_port=23 AND (event_type="authentication_success" OR username="root")

📊 Metadata

CVE ID: CVE-2015-7251
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-255
Published: December 30, 2015
Last Updated: April 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-7251, you might also want to check these:

CVE-2016-0898 10.0

MySQL for PCF tiles versions 1.7.x before 1.7.10 log AWS access keys in plaintext to Service Backup ...

Same vulnerability type (CWE-255)
CVE-2018-15389 9.8

This vulnerability allows unauthenticated remote attackers to access the administrative web interfac...

Same vulnerability type (CWE-255)
CVE-2020-10287 9.8

ABB IRC5 industrial robot controllers with UAS service enabled use publicly documented default crede...

Same vulnerability type (CWE-255)