Cybersecurity specialists report the detection of multiple vulnerabilities in ZTE MF971R hotspot routers. According to the report, the successful exploitation of the reported failures would allow the deployment of all kinds of risk scenarios.
Below are brief descriptions of the detected flaws, in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-21749: A limit error on affected devices would allow unauthenticated threat actors to drive a target user to a malicious website in order to perform a buffer overflow condition.
The vulnerability received a CVSS score of 7.2/10 and its successful exploitation would allow hackers to run arbitrary code on affected systems.
CVE-2021-21748: A limit error in the code related to the API ADB_MODE_SWITCH would allow unauthenticated threat actors to lead a target user to a buffer overflow condition and arbitrary code execution.
This vulnerability received a CVSS score of 7.7/10.
CVE-2021-21746: Insufficient disinfection of user-provided data in “sms_cmd_status_info” would allow remote threat actors to trick users into running arbitrary scripts on the vulnerable website.
This is a low-severity flaw and received a CVSS score of 5.3/10.
CVE-2021-21747: Insufficient disinfection of user-provided data in “xmlclient” would allow remote threat actors to execute arbitrary scripts in the context of the affected user’s browser.
The flaw received a CVSS score of 5.3/10.
CVE-2021-21743: Vulnerable software does not fix the CRLF character sequence process, so malicious hackers could send specially crafted requests to get a split HTTP response.
This is a medium severity flaw that received a CVSS score of 5.5/10.
CVE-2021-21744: A pre-authentication configuration file control issue would allow threat actors to trick victims into overwriting an entry in the configuration file.
This is a low-severity score and received a CVSS score of 4.6/10.
CVE-2021-21745: A referrer mitigation bypass issue would allow unauthenticated remote threat actors to trick a victim into bypassing the authentication process on affected systems.
This is a low-severity vulnerability and received a CVSS score of 4.1/10.
While these flaws could be exploited by remote, non authenticated threat actors, cybersecurity specialists have no detected active exploitation attempts. Nonetheless, experts recommend updating as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.