CVE-2024-22064

ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.

CVSS v3 8.3 HIGH

8.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.5

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524	Vendor Advisory
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zte:zxun-epdg:*:*:*:*:*:*:*:*

History

28 Jan 2025, 16:12

Type	Values Removed	Values Added
CPE	cpe:2.3:h:zte:zxun-epdg:-:::::::* cpe:2.3:o:zte:zxun-epdg_firmware::::::::	cpe:2.3:a:zte:zxun-epdg::::::::

27 Jan 2025, 18:36

Type	Values Removed	Values Added
CPE		cpe:2.3:h:zte:zxun-epdg:-:::::::* cpe:2.3:o:zte:zxun-epdg_firmware::::::::
References	~~() https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524 -~~	() https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524 - Vendor Advisory
First Time		Zte zxun-epdg Zte Zte zxun-epdg Firmware
CWE		CWE-665

Information

Published : 2024-05-14 14:56

Updated : 2025-01-28 16:12

NVD link : CVE-2024-22064

Mitre link : CVE-2024-22064

CVE.ORG link : CVE-2024-22064

JSON object : View

Products Affected

zte

zxun-epdg

CWE

CWE-1051

Initialization with Hard-Coded Network Resource Configuration Data

CWE-665

Improper Initialization

{"id": "CVE-2024-22064", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@zte.com.cn", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.5, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-05-14T14:56:40.160", "references": [{"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524", "tags": ["Vendor Advisory"], "source": "psirt@zte.com.cn"}, {"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@zte.com.cn", "description": [{"lang": "en", "value": "CWE-1051"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-665"}]}], "descriptions": [{"lang": "en", "value": "ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.\n\n"}, {"lang": "es", "value": "El producto ZTE ZXUN-ePDG, que sirve como nodo de red del sistema VoWifi, en su configuraci\u00f3n predeterminada, utiliza un conjunto de claves criptogr\u00e1ficas no \u00fanicas al establecer una conexi\u00f3n segura (IKE) con los dispositivos m\u00f3viles que se conectan a trav\u00e9s de Internet. Si el conjunto de claves se filtra o se descifra, es posible que se filtre la informaci\u00f3n de la sesi\u00f3n del usuario que utiliza las claves."}], "lastModified": "2025-01-28T16:12:31.863", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zte:zxun-epdg:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "428020C1-365E-4AD1-AFF7-51D3916201BE", "versionEndExcluding": "5.20.20"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@zte.com.cn"}