| Title | ZLT M30s MTNNGRM30S_1.47, M30S_1.47 (other versions might be vulnerable) Improper Access Control - Critical Information Disclosure |
|---|
| Description | The /reqproc/proc_post endpoint of the web management interface can be accessed without authentication and returns sensitive device information through isTest parameter set to false and goformId parameter set to export_information. This includes configuration data that exposes administrative account credentials in plaintext. As a result, an attacker can retrieve information sufficient to gain full access to the device’s web management interface. |
|---|
| Source | ⚠️ https://www.hacklab.eu.org/blogs/zlt_m30s_information_disclosure |
|---|
| User | S33K3R (UID 92688) |
|---|
| Submission | 12/05/2025 04:45 PM (3 months ago) |
|---|
| Moderation | 12/25/2025 10:36 AM (20 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 338410 [TOZED ZLT M30s up to 1.47 Web Management Interface /reqproc/proc_post goformId information disclosure] |
|---|
| Points | 20 |
|---|