CSP-CERT® Resources:
CVE-2018-7355: ZTE MF65 – Reflected Cross-Site Scripting

by CSP-CERT Vulnerability Research Team
posted September 2018

The CSP-CERT Vulnerability Research Team discovered a reflected cross-site scripting vulnerability on ZTE MF65 3G Mobile Hotspot which was distributed by local telecoms with the following firmware and hardware versions:

Firmware Version: BD_HDV6MF65V1.0.0B05
Hardware Version: MF65-1.0.0

Vulnerability Information

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

The Mobile Hotspot having the said firmware version doesn’t sanitize the input argument “cmd” used in the page “/goform_get_cmd_process”. A malicious input held by the parameter in the URL could result to client-side script execution or HTML code injection.


Upon visiting a crafted URL, an unsuspecting user can execute client-side script, or HTML code can be injected in the page which could lead to a malicious campaign for phishing or SPAM presentations.


According to ZTE, the product’s service already ended last August 2016 which in this case, no firmware patches should be expected. ZTE recommends choosing a substitute product like MF920 for updated security features.


Vendor Information

  • Vendor: ZTE
  • Date Notified: July 30, 2018
  • Public Disclose: September 10, 2018


The vulnerability was discovered by: CSP-CERT Vulnerability Research Team