CVE-2024-45416

Name of the Vulnerable Software and Affected Versions: ZTE routers (affected versions not specified)

Description: The HTTPD binary in multiple ZTE routers has a local file inclusion vulnerability in the session init function. This function executes session -LUA- files stored in the /var/lua session directory using the dofile function without validation. An attacker who can write a malicious file in the sessions directory can achieve remote code execution as root.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.