A critical remote code execution (RCE) vulnerability, identified as CVE-2025-46581, has been discovered in ZTE's ZXCDN product. This flaw allows an unauthenticated attacker to remotely execute arbitrary commands on the affected server, potentially leading to a complete system compromise, data theft, and service disruption. Due to its high severity (CVSS 9.8) and the ease of exploitation, immediate remediation is required.

This vulnerability is a remote code execution flaw within the Apache Struts framework used by the ZTE ZXCDN product. An unauthenticated remote attacker can exploit this issue by sending a specially crafted HTTP request to a vulnerable server. The Struts framework fails to properly sanitize input within the request, allowing the attacker to inject and execute arbitrary system commands with the privileges of the web server process (non-root).

The vulnerability poses a critical risk to the organization, reflected by its CVSS score of 9.8. Successful exploitation could lead to the complete compromise of the affected ZXCDN server. Potential consequences include unauthorized access to and exfiltration of sensitive data, deployment of malware such as ransomware, disruption of critical services, and the ability for an attacker to use the compromised system as a pivot point for further attacks into the internal network. The business impact includes significant financial loss, reputational damage, and operational downtime.

Immediate Action: The primary remediation is to apply the security patches provided by the vendor. Organizations must identify all vulnerable instances of the ZTE ZXCDN product and update them to the latest secure version immediately. Following the update, review access and error logs for any signs of exploitation that may have occurred prior to patching.

Proactive Monitoring: Implement enhanced monitoring on affected systems. Security teams should actively review web server logs for unusual or malformed requests, particularly those containing patterns associated with Struts exploits (e.g., suspicious OGNL expressions). Monitor for unexpected outbound network connections from the server and any anomalous processes spawned by the web server's user account.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block Apache Struts exploitation attempts.
• Restrict network access to the vulnerable application, allowing connections only from trusted IP addresses and internal networks.
• Enhance network segmentation to isolate the affected server, preventing potential lateral movement in the event of a compromise.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the public availability of exploit code, this vulnerability requires immediate attention. We strongly recommend that organizations prioritize patching all affected ZTE ZXCDN instances without delay. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion. If patching cannot be immediately performed, the compensating controls outlined above must be implemented as a matter of urgency to mitigate the significant risk of system compromise.