Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-10934

All versions prior to V5.09.02.02T4 of the ZTE ZXIPTV-EPG product use the Java RMI service in which the servers use the Apache Commons Collections (ACC) library that may result in Java deserialization vulnerabilities. An unauthenticated remote attacker can exploit the vulnerabilities by sending a crafted RMI request to execute arbitrary code on the target host.

Published

2018-07-25T15:29:00.200

Last Modified

2024-11-21T03:06:47.140

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-502

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	zte	zxiptv-epg_firmware	< 5.09.02.02t4	Yes
Hardware	zte	zxiptv-epg	-	No

References

http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1008682 Vendor Advisory ([email protected])
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1008682 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)