Skip to main content

ZTE ZX297520V3 BootROM CVE-2026-40003

| EUVDEUVD-2026-28232 MEDIUM
Out-of-bounds Write (CWE-787)
2026-05-07 zte GHSA-2jfv-r29r-j6wr
5.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L
Attack Vector
Physical
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 02:15 vuln.today
CVE Published
May 07, 2026 - 01:15 nvd
MEDIUM 5.1

DescriptionCVE.org

ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB download mode to write data to any location in BootROM runtime memory, thereby overwriting the stack, hijacking the execution flow, bypassing the Secure Boot signature verification mechanism, and achieving unauthorized code execution.

AnalysisAI

Arbitrary memory writes via USB in ZTE ZX297520V3 BootROM allow physical attackers with USB access to bypass Secure Boot signature verification and achieve unauthorized code execution by exploiting missing target address validation in USB download mode. The vulnerability requires physical device access and user interaction (device boot into download mode), resulting in a CVSS score of 5.1, but enables complete bypass of cryptographic security mechanisms and Secure Boot protections.

Technical ContextAI

ZTE ZX297520V3 BootROM is the low-level boot firmware that initializes ZTE networking equipment before the main operating system loads. The BootROM implements a USB download mode for firmware updates and recovery operations. The vulnerability stems from CWE-787 (Out-of-bounds Write), where the USB download protocol accepts write commands without validating the target memory address. Attackers can specify arbitrary addresses in BootROM runtime memory during the download phase, allowing them to overwrite critical memory regions including the stack, function return addresses, and potentially Secure Boot verification code or cryptographic keys. The lack of address range validation means the download handler does not restrict writes to intended firmware regions, enabling arbitrary memory corruption and execution flow hijacking before Secure Boot mechanisms can verify the final kernel image.

RemediationAI

ZTE has released security advisories and patches via their support portal. Affected organizations should immediately check the ZTE support bulletin (reference: https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2144487415169560645) for available firmware updates that address the BootROM vulnerability. Apply the latest patched BootROM version to all ZX297520V3 devices. As a compensating control, enforce strict physical security around ZTE equipment: restrict direct USB access to devices via port locks or cable guards, disable USB download mode in production environments (accessible only through secured serial console or management interfaces), and implement facility-level access controls to prevent unauthorized personnel from accessing devices during the boot phase. For devices already deployed, monitor physical access logs and audit trails. Note that BootROM vulnerabilities cannot be patched in the field if Secure Boot is disabled; therefore, devices suspected of compromise should be returned to ZTE for secure BootROM reprogramming.

More in Zte

View all
CVE-2014-2321 CRITICAL POC
10.0 Mar 11

web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd

CVE-2015-7251 CRITICAL POC
9.8 Dec 30

ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE have a hardcoded password of root for the root account, whic

CVE-2015-7259 HIGH POC
8.8 Aug 24

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid

CVE-2015-7258 HIGH POC
8.8 Aug 24

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated users to obtain

CVE-2015-7248 HIGH POC
7.5 Dec 30

ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote attackers to discover usernames and password ha

CVE-2014-0329 CRITICAL POC
9.3 Feb 04

The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account

CVE-2015-7250 HIGH POC
7.5 Dec 30

Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE

CVE-2017-16953 HIGH POC
7.5 Dec 01

connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic Authentication, which allows remote attackers to mo

CVE-2015-7252 MEDIUM POC
6.1 Dec 30

Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_

CVE-2015-7257 HIGH POC
7.5 Aug 24

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrato

CVE-2018-7364 CRITICAL POC
9.8 Dec 07

All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control

CVE-2014-4018 HIGH POC
7.8 Jul 16

The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which

Share

CVE-2026-40003 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy