CVE-2018-15005

Name of the Vulnerable Software and Affected Versions ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys

Description The device contains a pre-installed platform app with a package name of com.zte.zdm.sdm that has an exported broadcast receiver app component named com.zte.zdm.VdmcBroadcastReceiver. This component allows any app co-located on the device to initiate a factory reset programmatically without requiring any permissions. A factory reset will remove all user data and apps from the device, resulting in the loss of any data that have not been backed up or synced externally.

Recommendations For the ZTE ZMAX Champ Android device with the specified build fingerprint, consider disabling the com.zte.zdm.VdmcBroadcastReceiver component to prevent unauthorized factory resets until a patch is available. Restrict access to the com.zte.zdm.sdm app to minimize the risk of exploitation.