ZTE F460/F660 cable modems contain an unauthenticated backdoor.
ZTE F460/F660 cable modems contain an unauthenticated backdoor. The web_shell_cmd.gch script accepts unauthenticated commands that have administrative access to the device. It has been reported that the web_shell_cmd.gch script is sometimes accessible from the WAN interface making exploitation of this backdoor from the Internet possible in certain cases.
An unauthenticated attacker can run commands with administrator level access on the device.
We are currently unaware of a practical solution to this problem. Please consider the following workaround.
Remove Affected Script
Thanks to Rapid7 for reporting this vulnerability.
This document was written by Jared Allar.
|Date First Published:||2014-03-04|
|Date Last Updated:||2014-03-19 14:30 UTC|