cbcvebase.
CVE-2014-4019
published 2020-02-20

CVE-2014-4019: ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores sensitive information under the web root with insufficient access control, which allows remote…

PriorityP178high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.37%
95.7th percentile
ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores sensitive information under the web root with insufficient access control, which allows remote attackers to read backup files via a direct request for rom-0.

Affected

1 ranges
VendorProductVersion rangeFixed in
ztezxv10_w300_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://192.168.1.1/rom-0
path/rom-0
urlhttp://192.168.1.1/basic/tc2wanfun.js
path/basic/tc2wanfun.js
path/Forms/tools_admin_1
filenamerom-0
versionRomPager/4.07 UPnP/1.0
  • Detect unauthenticated HTTP GET requests for the path /rom-0 — this file contains the router's compressed configuration including credentials and requires no authentication to retrieve.
  • Monitor HTTP GET requests to /basic/tc2wanfun.js from unauthenticated or external sources; this JavaScript file exposes PPPoE/PPPoA credentials in plaintext after a user authenticates.
  • Flag HTTP servers identifying as RomPager/4.07 as vulnerable; this server version is confirmed affected across ZTE and TP-Link devices.
  • ·The exploit and IOCs use the default LAN gateway 192.168.1.1; the /rom-0 path is accessible on any IP the router is reachable from, including WAN-facing interfaces if remote management is enabled.
  • ·Confirmed affected firmware is W300V1.0.0a_ZRD_LK on ZTE ZXV10 W300; other firmware versions on the same hardware may also be vulnerable but were not tested.
  • ·The tc2wanfun.js credential exposure only persists until the next router restart; credentials are written to the JS file only after a successful user authentication session.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.