Vulnerability Note VU#600724
ZTE F460/F660 cable modems contain an unauthenticated backdoor
ZTE F460/F660 cable modems contain an unauthenticated backdoor.
ZTE F460/F660 cable modems contain an unauthenticated backdoor. The web_shell_cmd.gch script accepts unauthenticated commands that have administrative access to the device. It has been reported that the web_shell_cmd.gch script is sometimes accessible from the WAN interface making exploitation of this backdoor from the Internet possible in certain cases.
An unauthenticated attacker can run commands with administrator level access on the device.
We are currently unaware of a practical solution to this problem. Please consider the following workaround.
Remove Affected Script
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|ZTE Corporation||Affected||-||19 Mar 2014|
CVSS Metrics (Learn More)
Thanks to Rapid7 for reporting this vulnerability.
This document was written by Jared Allar.
- CVE IDs: Unknown
- Date Public: 03 Mar 2014
- Date First Published: 04 Mar 2014
- Date Last Updated: 19 Mar 2014
- Document Revision: 17
If you have feedback, comments, or additional information about this vulnerability, please send us email.