CVE-2024-45416
📋 TL;DR
This vulnerability allows local file inclusion in ZTE routers' HTTPD binary, enabling attackers who can write malicious files to the /var/lua_session directory to execute arbitrary code as root. It affects multiple ZTE router models running vulnerable firmware versions. Attackers need local access to the router's filesystem to exploit this vulnerability.
💻 Affected Systems
- Multiple ZTE router models (specific models not detailed in advisory)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full root-level remote code execution leading to complete router compromise, network traffic interception, credential theft, and lateral movement into connected networks.
Likely Case
Local privilege escalation from a lower-privileged user to root, allowing attackers to modify router configuration, install persistent backdoors, or pivot to other network devices.
If Mitigated
Limited impact if proper file permissions prevent unauthorized writes to /var/lua_session directory and network segmentation isolates routers.
🎯 Exploit Status
Exploitation requires ability to write files to /var/lua_session directory, which typically requires some level of existing access to the router's filesystem.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Specific version not provided in advisory - check ZTE security updates
Vendor Advisory: Not provided in the reference - monitor ZTE security advisories
Restart Required: Yes
Instructions:
1. Check ZTE security advisory for affected models and patched firmware versions
2. Download appropriate firmware update from ZTE support portal
3. Backup current router configuration
4. Upload and apply firmware update through router admin interface
5. Reboot router to complete installation
6. Verify fix by checking firmware version and testing session functionality
🔧 Temporary Workarounds
Restrict /var/lua_session directory permissions
linuxSet strict file permissions on the lua_session directory to prevent unauthorized writes
chmod 700 /var/lua_session
chown root:root /var/lua_session
Disable HTTPD service if not required
linuxStop and disable the vulnerable HTTPD service if router management can be done through other secure methods
killall httpd
rm /etc/init.d/S80httpd
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable routers from critical network segments
- Monitor /var/lua_session directory for unauthorized file creation using file integrity monitoring tools
🔍 How to Verify
Check if Vulnerable:
Check if HTTPD binary exists and /var/lua_session directory has weak permissions: ls -la /var/lua_session && ps aux | grep httpdCheck Version:
cat /etc/version or check router web interface for firmware versionVerify Fix Applied:
Verify firmware version is updated and test that session functionality still works without allowing arbitrary file execution📡 Detection & Monitoring
Log Indicators:
- Unusual file creation in /var/lua_session directory
- HTTPD process spawning unexpected child processes
- Failed attempts to write to protected directories
Network Indicators:
- Unusual outbound connections from router to external IPs
- Unexpected network traffic patterns from router management interface
SIEM Query:
process_name:"httpd" AND (file_path:"/var/lua_session/*" OR child_process_count > threshold)