CVE-2021-47740
Unknown Unknown - Not Provided
Session Management Flaw in KZTech JT3500V Enables Unauthorized Access

Publication date: 2025-12-31

Last updated on: 2025-12-31

Assigner: VulnCheck

Description
KZTech JT3500V 4G LTE CPE 2.0.1 contains a session management vulnerability that allows attackers to reuse old session credentials without proper expiration. Attackers can exploit the weak session handling to maintain unauthorized access and potentially compromise device authentication mechanisms.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-31
Last Modified
2025-12-31
Generated
2026-06-16
AI Q&A
2025-12-31
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47740
Affected Vendors & Products
Showing 16 associated CPEs
Vendor Product Version / Range
kztech am5000w 2.0.0b3037
kztech am3100v 2.0.0b946
kztech kz3120r 2.0.0b01
kztech am3100e 2.0.0b981
kztech kz7621u 2.0.0b14
kztech am3000m 2.0.0b21
kztech am4200m 2.0.0b2996
kztech am3500mw 2.0.0b1092
kztech am3410v 2.0.0b1085
kztech am4100v 2.0.0b2988
kztech kz3220m 2.0.0b04
kztech am3300v 2.0.0b1060
kztech jt3500v 2.0.1b1064
kztech jt3500v 2.0.1
kztech am6200m 2.0.0b3210
kztech am6000n 2.0.0b3042
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects KZTech JT3500V 4G LTE CPE and related models, where the devices have insufficient session expiration in their web application interface. Attackers can reuse old session credentials or session IDs because the sessions do not expire properly. This allows unauthorized users to bypass security controls and maintain access to the device by hijacking or reusing legitimate user sessions. [3, 5]

Impact Analysis

The vulnerability can lead to unauthorized access to the affected devices by allowing attackers to reuse old session credentials. This can compromise device authentication mechanisms and potentially enable persistent unauthorized control over the device, exposing the network and connected systems to security risks. [3, 5]

Detection Guidance

This vulnerability can be detected by testing whether old session credentials or session IDs can still be used to access the device without expiration. A practical approach is to capture session tokens during normal authentication and then attempt to reuse these tokens after logout or session timeout to see if access is still granted. Specific commands are not provided in the resources, but using tools like curl or browser developer tools to capture and replay session cookies or tokens against the device's web interface can help verify the vulnerability. [3, 5]

Mitigation Strategies

Immediate mitigation steps include updating the device firmware to a version that properly handles session expiration and prevents reuse of old session credentials. If a firmware update is not available, implementing additional session management controls such as forcing logout on session expiration, disabling persistent sessions, or restricting access to trusted networks can help reduce risk. [5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47740. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart