ZTE WXV10 W300 Multiple Vulnerabilities

Summary
This host is running ZTE WXV10 W300 router and is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow remote attackers to trivially gain privileged access to the device, execute arbitrary commands and gain access to arbitrary files. Impact Level: System/Application
Solution
No solution or patch is available as of 20th February, 2015. Information regarding this issue will be updated once the solution details are available. For updates refer to http://wwwen.zte.com.cn/en
Insight
- The 'admin' account has a password of 'admin', which is publicly known and documented. This allows remote attackers to trivially gain privileged access to the device. - Flaw in in /basic/home_wan.htm that is triggered as the device exposes the device password in the source of the page when a user authenticates to the device. - The HTTP requests to /Forms/tools_admin_1 do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. - The rom-0 backup file contains sensitive information such as the router password. There is a disclosure in which anyone can download that file without any authentication by a simple GET request.
Affected
ZTE ZXV10 W300
Detection
Send a crafted default credential via HTTP GET request and check whether it is able to read rom-0 or not.
References