cbcvebase.
CVE-2014-0329
published 2014-02-04

CVE-2014-0329: The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account, which allows remote attackers to…

PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
8.52%
94.4th percentile
The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account, which allows remote attackers to obtain administrative access by leveraging knowledge of the MAC address characters present at the beginning of the password.

Affected

1 ranges
VendorProductVersion rangeFixed in
ztezxv10_w300

Detection & IOCsextracted from sources · hover to see the quote

port23/tcp (telnet)
port161/udp (snmp)
commandXXXXairocon (password pattern where XXXX = last 4 chars of MAC address)
commandSNMP OID .1.3.6.1.2.1.2.2.1.6.10000 (used to retrieve MAC address)
otherSNMP community string: public
otherShodan dork: Basic realm="index.htm"
  • Detect exploitation attempts by monitoring Telnet (TCP/23) login attempts using the credential pattern 'admin' / '[A-F0-9]{4}airocon' (last 4 MAC address hex chars + literal 'airocon').
  • Monitor for SNMP GET requests targeting OID .1.3.6.1.2.1.2.2.1.6.10000 using community string 'public' — this is the reconnaissance step used to retrieve the MAC address before constructing the hardcoded password.
  • Alert on sequential SNMP (UDP/161) followed by Telnet (TCP/23) connections from the same source IP to ZTE ZXV10 W300 devices — this two-stage pattern (MAC harvest then Telnet login) is characteristic of CVE-2014-0329 exploitation.
  • After Telnet login, the exploit sends the command sequence 'sh\rlogin show\rexit' — monitor Telnet session content for this command string as a post-auth indicator of compromise.
  • ·The hardcoded password is device-specific (derived from the last 4 characters of the MAC address), so a static password blocklist is insufficient — detection must use the regex pattern '[A-F0-9]{4}airocon' rather than a fixed string.
  • ·SNMP must be accessible with the default community string 'public' for the attacker to retrieve the MAC address remotely; blocking or changing the SNMP community string raises the attack complexity.
  • ·The exploit targets firmware version 2.1.0 specifically; verify device firmware version before applying detection rules to avoid false positives on other ZTE models.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.