Huawei EchoLife HG8045Q vulnerable to OS command injection


EchoLife HT8045Q provided by Huawei is an ONT (Optical Network Terminal) device.
It is equipped with the command line interface for network operators' maintenance purpose, which is disabled by default.
When the command line interface is enabled, operators can interact with a certain restricted set of commands.
The command-line interface fails to process properly a certain crafted inputs, which enables some BusyBox-implemented commands executed (CWE-78).
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.7 (High) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
Affected Products

  • HG8045Q Software version : V300R016C00SPC110
  • HG8045Q Software version : V300R018C10


When the command line interface is enabled, an administrator user may execute a certain set of OS commands on the device.

[Update the Software]
Update the software to the latest version according to the information provided by the developer. The developer has released the following version that addresses the vulnerability.

  • Software version : V300R016C00SPC130 (for V300R016C00SPC110)
  • Software version : R18C10SPC152 (for V300R018C10)
Vendor Information

CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-37028

  1. JVN : JVN#41646618
Revision History

  • [2021/08/17]
      Web page was published