Skip to main content

CVE-2023-25644: CWE-755 Improper Handling of Exceptional Conditions in ZTE MC801A

Medium
VulnerabilityCVE-2023-25644cvecve-2023-25644cwe-755
Published: Thu Dec 14 2023 (12/14/2023, 08:04:26 UTC)
Source: CVE
Vendor/Project: ZTE
Product: MC801A

Description

There is a denial of service vulnerability in some ZTE mobile internet products. Due to insufficient validation of Web interface parameter, an attacker could use the vulnerability to perform a denial of service attack.

AI-Powered Analysis

AILast updated: 07/08/2025, 08:40:54 UTC

Technical Analysis

CVE-2023-25644 is a denial of service (DoS) vulnerability identified in the ZTE MC801A mobile internet product, specifically in the firmware version MC801A_Elisa3_B19. The root cause of this vulnerability is improper handling of exceptional conditions (CWE-755) due to insufficient validation of parameters passed through the device's web interface. An attacker can exploit this flaw remotely without requiring authentication or user interaction by sending specially crafted requests to the web interface. This leads to a denial of service condition, causing the device to become unresponsive or crash, thereby disrupting network connectivity for users relying on the affected device. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity level. The attack vector is adjacent network (AV:A), meaning the attacker must be on the same local network or connected to the device's network segment. The vulnerability requires no privileges and no user interaction, and it impacts availability only, with no confidentiality or integrity impact. No public exploits are currently known, and no patches have been published at the time of this report. The vulnerability was reserved in early 2023 and published in December 2023. Given the nature of the device as a mobile internet gateway, exploitation could disrupt internet access for end users or enterprise environments relying on these devices for connectivity.

Potential Impact

For European organizations, the impact of this vulnerability could be significant in environments where ZTE MC801A devices are deployed as primary or backup mobile internet gateways. Disruption of these devices could lead to loss of internet connectivity, impacting business operations, communications, and access to cloud services. This is particularly critical for remote offices, mobile workforce connectivity, or IoT deployments that depend on stable mobile internet access. While the vulnerability does not compromise data confidentiality or integrity, the availability impact could cause operational downtime and productivity loss. Additionally, critical infrastructure sectors relying on mobile internet for redundancy or failover could face service interruptions. The medium severity rating suggests a moderate risk, but the ease of exploitation without authentication and user interaction increases the likelihood of opportunistic attacks, especially in shared or public network environments.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should first identify any deployed ZTE MC801A devices, particularly those running the affected firmware version MC801A_Elisa3_B19. Network segmentation should be employed to restrict access to the device's web interface, limiting it to trusted management networks only. Implementing firewall rules to block unauthorized access to the device's management interface from untrusted or public networks is critical. Monitoring network traffic for unusual or malformed requests targeting the web interface can help detect exploitation attempts. Organizations should engage with ZTE or their vendors to obtain firmware updates or patches as soon as they become available. In the absence of patches, consider disabling the web management interface if operationally feasible or restricting it to secure VPN access. Regularly auditing device configurations and applying security best practices for IoT and network devices will reduce exposure. Finally, incident response plans should include procedures for rapid device replacement or network rerouting in case of a successful DoS attack.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
zte
Date Reserved
2023-02-09T19:47:48.022Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682f67ff0acd01a249264598

Added to database: 5/22/2025, 6:07:59 PM

Last enriched: 7/8/2025, 8:40:54 AM

Last updated: 8/4/2025, 12:36:51 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats