Huawei E587 3G Mobile Hotspot, version 11.203.27, is prone to two vulnerabilities
in WebUI; an XSS and a command injection.
The combination of both allows an attacker (with a little help from the victim) to remotely execute code on the device with root privileges, by sending a specifically crafted SMS.
The vendor has been notified on the 2013/03/18.
Huawei WebUI XSS in SMS inbox page
In /js/main.js, function smsReplaceData() is used to escape
HTML tags in incoming SMS before displaying them in the UI.
But a specifically crafted SMS can bypass this flawed function and inject HTML tags in SMS inbox page:
This XSS is executed when the user browses to SMS inbox page. The device has a notifying icon on its tiny screen to alert user of incoming SMS.
Huawei WebUI Shell injection (CVE-2013-2612)
The HTTP endpoint "/api/device/time" in WebUI is vulnerable to
shell command injection. This allows code execution with root
You need to split your shell command into children of
<request> node in order to respect the 7 chars limit for each
Now, you may try to combine them.