CVE-2024-22069
📋 TL;DR
This vulnerability allows authenticated users with common permissions to intercept password change requests and modify administrator credentials on ZTE ZXV10 XT802/ET301 devices. Attackers can gain administrative privileges without proper authorization. Organizations using these specific ZTE terminal products are affected.
💻 Affected Systems
- ZTE ZXV10 XT802
- ZTE ZXV10 ET301
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over the device, enabling them to reconfigure network settings, intercept traffic, deploy malware, or use the device as a pivot point into internal networks.
Likely Case
Privilege escalation where low-privileged users gain administrative access, potentially leading to unauthorized configuration changes, service disruption, or data exposure.
If Mitigated
Limited impact with proper network segmentation, monitoring, and access controls preventing unauthorized users from reaching the web interface.
🎯 Exploit Status
Exploitation requires authenticated access and ability to intercept/modify HTTP requests, which is straightforward with tools like Burp Suite or browser dev tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in advisory
Vendor Advisory: https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1036424
Restart Required: Yes
Instructions:
1. Contact ZTE support for latest firmware. 2. Backup current configuration. 3. Upload and apply firmware update via web interface. 4. Reboot device. 5. Verify fix by testing password change functionality.
🔧 Temporary Workarounds
Network segmentation
allRestrict access to device management interface to authorized administrative networks only
Access control lists
allImplement firewall rules to limit source IP addresses that can reach the web interface
🧯 If You Can't Patch
- Monitor for unusual authentication events and password change attempts in device logs
- Implement multi-factor authentication if supported, or consider replacing vulnerable devices
🔍 How to Verify
Check if Vulnerable:
Test if authenticated non-admin users can intercept and modify password change requests to escalate privilegesCheck Version:
Check firmware version in web interface under System > Status or similar menuVerify Fix Applied:
After patching, verify that password change requests properly validate user permissions and cannot be intercepted/modified📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login
- Password change events from non-admin users
- Unusual administrative configuration changes
Network Indicators:
- HTTP POST requests to password change endpoints from unexpected sources
- Unusual traffic patterns to/from device management interface
SIEM Query:
source="zte_device" AND (event_type="password_change" AND user_role!="admin")