Severity by source
AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB download mode to write data to any location in BootROM runtime memory, thereby overwriting the stack, hijacking the execution flow, bypassing the Secure Boot signature verification mechanism, and achieving unauthorized code execution.
AnalysisAI
Arbitrary memory writes via USB in ZTE ZX297520V3 BootROM allow physical attackers with USB access to bypass Secure Boot signature verification and achieve unauthorized code execution by exploiting missing target address validation in USB download mode. The vulnerability requires physical device access and user interaction (device boot into download mode), resulting in a CVSS score of 5.1, but enables complete bypass of cryptographic security mechanisms and Secure Boot protections.
Technical ContextAI
ZTE ZX297520V3 BootROM is the low-level boot firmware that initializes ZTE networking equipment before the main operating system loads. The BootROM implements a USB download mode for firmware updates and recovery operations. The vulnerability stems from CWE-787 (Out-of-bounds Write), where the USB download protocol accepts write commands without validating the target memory address. Attackers can specify arbitrary addresses in BootROM runtime memory during the download phase, allowing them to overwrite critical memory regions including the stack, function return addresses, and potentially Secure Boot verification code or cryptographic keys. The lack of address range validation means the download handler does not restrict writes to intended firmware regions, enabling arbitrary memory corruption and execution flow hijacking before Secure Boot mechanisms can verify the final kernel image.
RemediationAI
ZTE has released security advisories and patches via their support portal. Affected organizations should immediately check the ZTE support bulletin (reference: https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2144487415169560645) for available firmware updates that address the BootROM vulnerability. Apply the latest patched BootROM version to all ZX297520V3 devices. As a compensating control, enforce strict physical security around ZTE equipment: restrict direct USB access to devices via port locks or cable guards, disable USB download mode in production environments (accessible only through secured serial console or management interfaces), and implement facility-level access controls to prevent unauthorized personnel from accessing devices during the boot phase. For devices already deployed, monitor physical access logs and audit trails. Note that BootROM vulnerabilities cannot be patched in the field if Secure Boot is disabled; therefore, devices suspected of compromise should be returned to ZTE for secure BootROM reprogramming.
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE have a hardcoded password of root for the root account, whic
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated users to obtain
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote attackers to discover usernames and password ha
The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account
Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE
connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic Authentication, which allows remote attackers to mo
Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrato
All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control
The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28232
GHSA-2jfv-r29r-j6wr