CVE-2022-39071

Q: What is the severity of CVE-2022-39071?

CVE-2022-39071 has a CVSS score of 7.1 (HIGH). This vulnerability in some ZTE mobile phones allows malicious applications to overwrite system configuration files and user installers without user permission. It affects users who have installed malicious apps on vulnerable ZTE devices. The vulnerability enables unauthorized modification of critical system components.

7.1 HIGH

📋 TL;DR

This vulnerability in some ZTE mobile phones allows malicious applications to overwrite system configuration files and user installers without user permission. It affects users who have installed malicious apps on vulnerable ZTE devices. The vulnerability enables unauthorized modification of critical system components.

💻 Affected Systems

Products:

ZTE mobile phones

Versions: Specific models/versions not publicly detailed in available references

Operating Systems: Android-based ZTE custom OS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires malicious app installation; exact affected models not specified in public references

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent malware installation, data theft, and system instability through unauthorized file modifications.

🟠

Likely Case

Malicious apps gaining elevated privileges to modify system settings, install unwanted software, or disrupt normal device operation.

🟢

If Mitigated

Limited impact if users only install apps from trusted sources and device has security controls enabled.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user to install malicious application; no public exploit code available

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in public references

Vendor Advisory: https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1030664

Restart Required: Yes

Instructions:

1. Check for ZTE security updates in device settings. 2. Install latest security patches from ZTE. 3. Restart device after update.

🔧 Temporary Workarounds

Restrict app installations

android

Only install apps from official Google Play Store and disable unknown sources

Settings > Security > Unknown sources (disable)

Regular security scans

android

Use reputable mobile security software to detect malicious applications

🧯 If You Can't Patch

Only install applications from trusted official sources like Google Play Store
Regularly review installed applications and remove any suspicious or unnecessary apps

🔍 How to Verify

Check if Vulnerable:

Check device model and software version against ZTE security advisories

Check Version:

Settings > About phone > Software information

Verify Fix Applied:

Verify latest security patches are installed and device is running updated software

📡 Detection & Monitoring

Log Indicators:

Unauthorized file modification attempts in system directories
Suspicious app installation patterns

Network Indicators:

Unusual network traffic from mobile apps attempting to download additional payloads

SIEM Query:

Not applicable for typical mobile device environments

📊 Metadata

CVE ID: CVE-2022-39071

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Published: May 30, 2023

Last Updated: January 13, 2025

🔗 References

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1030664 Vendor Advisory
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1030664 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Axon 40 Ultra Firmware by Zte

Blade A3 Lite Firmware by Zte

Blade A31 Firmware by Zte

Blade A31 Plus Firmware by Zte

Blade A5 2019 Firmware by Zte

Blade A5 2020 Firmware by Zte

Blade A51 Firmware by Zte

Blade A52 Firmware by Zte

Blade A71 Firmware by Zte

Blade A72 Firmware by Zte

Blade A7s Firmware by Zte

Blade L210 Firmware by Zte

Blade V20 Smart Firmware by Zte

Blade V30 Firmware by Zte

Blade V30 Vita Firmware by Zte

Blade V40 Vita Firmware by Zte

V40 Pro Firmware by Zte