CVE-2022-39071 - Vulnerability Details

Description

There is an unauthorized access vulnerability in some ZTE mobile phones. If a malicious application is installed on the phone, it could overwrite some system configuration files and user installers without user permission.

Published: 2023-05-30

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

ZTE Blade A52, ZTE Blade A51, ZTE Blade A3 Lite, ZTE Blade A5 2020, ZTE Blade L210, ZTE Blade A7s, ZTE Blade A31, ZTE Blade A31 Plus, ZTE Blade A5 (2019), ZTE Blade A71, ZTE Blade A72, ZTE Blade V20 Smart, ZTE Blade V30, ZTE Blade V30 Vita, ZTE V40 Pro, ZTE Blade V40 Vita, ZTE Axon 40 Ultra

affected

Version	Status	Constraints
All versions up to Z6356T_M01, All versions up to Blade A51_M06, All versions up to Blade A30_M08, All versions up to Blade A5 2020-T_M04, All versions up to GEN_MY_L210_V1.13, All versions up to CLA_GT_A7020_V2.1, All versions up to Blade A31_M02, All versions up to P600_M03, All versions up to P650 Pro_M12, All versions up to GEN_EU_EEA_A7030_V2.3, All versions up to MyOS11.0.2_A7039_CLA_CO, All versions up to TEL_MX_ZTE_8010V1.13, All versions up to TEL_MX_ZTE_9030V1.10, All versions up to TEL_MX_ZTE_8030V1.10, All versions up to MyOS11.0.3_9045_TEL All versions up to MyOS11.0.1_8044_CLA_CO, All versions up to NON_EEA_P898F01V1.0.0B25	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:zte:blade_a52_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:blade_a52:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:zte:blade_a51_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:blade_a51:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:zte:blade_a3_lite_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:blade_a3_lite:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:zte:blade_a5_2020_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:blade_a5_2020:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:zte:blade_l210_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:blade_l210:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:zte:blade_a7s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:blade_a7s:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:zte:blade_a31_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:blade_a31:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:zte:blade_a31_plus_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:blade_a31_plus:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:zte:blade_a5_2019_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:blade_a5_2019:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:zte:blade_a71_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:blade_a71:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:zte:blade_a72_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:blade_a72:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:zte:blade_v20_smart_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:blade_v20_smart:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:zte:blade_v30_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:blade_v30:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:zte:blade_v30_vita_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:blade_v30_vita:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:zte:v40_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:v40_pro:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:zte:blade_v40_vita_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:blade_v40_vita:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:zte:axon_40_ultra_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:axon_40_ultra:-:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-41617	There is an unauthorized access vulnerability in some ZTE mobile phones. If a malicious application is installed on the phone, it could overwrite some system configuration files and user installers without user permission.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00049.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1030664

History

Mon, 13 Jan 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Zte Axon 40 Ultra Axon 40 Ultra Firmware Blade A31 Blade A31 Firmware Blade A31 Plus Blade A31 Plus Firmware Blade A3 Lite Blade A3 Lite Firmware Blade A51 Blade A51 Firmware Blade A52 Blade A52 Firmware Blade A5 2019 Blade A5 2019 Firmware Blade A5 2020 Blade A5 2020 Firmware Blade A71 Blade A71 Firmware Blade A72 Blade A72 Firmware Blade A7s Blade A7s Firmware Blade L210 Blade L210 Firmware Blade V20 Smart Blade V20 Smart Firmware Blade V30 Blade V30 Firmware Blade V30 Vita Blade V30 Vita Firmware Blade V40 Vita Blade V40 Vita Firmware V40 Pro V40 Pro Firmware

MITRE

Status: PUBLISHED

Assigner: zte

Published: 2023-05-30T00:00:00.000Z

Updated: 2025-01-13T20:40:41.363Z

Reserved: 2022-08-31T00:00:00.000Z

Link: CVE-2022-39071

Vulnrichment

Updated: 2024-08-03T11:10:32.478Z

NVD

Status : Modified

Published: 2023-05-30T23:15:09.273

Modified: 2025-01-13T21:15:09.897

Link: CVE-2022-39071

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

NVD-CWE-Other

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object