This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Security Advisory-Vulnerability in Image Upload of User-defined Devices to Huawei eSight System

  • SA No:Huawei-SA-20131228-03
  • Initial Release Date: Dec 28, 2013
  • Last Release Date: Feb 11, 2014

Huawei eSight System is an operation and maintenance system that Huawei develops for next-generation wireless/wired enterprise campus networks, enterprise branches, and data centers. When users adapt new devices for it, the server verifies the format of the files to be uploaded unsuccessfully. Therefore, attackers upload malicious code to the server. (HWPSIRT-2013-1257).

This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2014-1689.

Product name



V200R003C00 and earlier versions

The impacts vary with the functions of uploaded malicious code, such as information loss, service interruption, and server down.

The vulnerability classification has been performed by using the CVSSv2 scoring system (

Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)

Temporal Score: 6.3 (E:F/RL:O/RC:C)

1. Prerequisite:

The attackers must be able to monitor communication between the user and server.

2. Attacking procedure:

The attacker uploads malicious code to the server by exploiting the vulnerability.

Upgrading version and upgrading date:

Product name

Solved version

Solved time




Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at

This vulnerability is found by Huawei internal test engineer. The Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

For security problems about Huawei products and solutions, please

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.

2014-02-11 V1.1 UPDATED update the information of CVE-ID 

2013-12-28 V1.0 INITIAL

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at