Skip to main content

Zte CVE-2026-40436

| EUVDEUVD-2026-21883 HIGH
2026-04-13 zte
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 13, 2026 - 07:29 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 07:15 euvd
EUVD-2026-21883
Analysis Generated
Apr 13, 2026 - 07:15 vuln.today
CVE Published
Apr 13, 2026 - 06:31 nvd
HIGH 7.1

DescriptionCVE.org

The ZTE ZXEDM iEMS product has a password reset vulnerability for any user.Because the management of the cloud EMS portal does not properly control access to the user list acquisition function, attackers can read all user list information through the user list interface. Attackers can reset the passwords of obtained user information, causing risks such as unauthorized operations.

AnalysisAI

Password reset vulnerability in ZTE ZXEDM iEMS cloud management portal allows authenticated attackers with low privileges to enumerate all user accounts and reset arbitrary user passwords. This authentication bypass enables unauthorized administrative operations across the entire EMS system. Attack requires user interaction and moderate complexity (CVSS AC:H), but no public exploit identified at time of analysis. CVSS 7.1 reflects high confidentiality, integrity, and availability impact within the vulnerable component's scope.

Technical ContextAI

ZTE ZXEDM iEMS (Integrated Element Management System) is a cloud-based network management platform for telecommunications infrastructure. The vulnerability stems from inadequate access controls on the user enumeration API endpoint within the cloud EMS portal. The broken access control allows low-privileged authenticated users to bypass intended authorization boundaries and retrieve the complete user directory, including account details necessary for password reset operations. This represents a classic horizontal privilege escalation combined with insecure direct object reference (IDOR) pattern, where authentication alone is insufficient and proper authorization checks are missing on sensitive user management functions. The affected CPE (cpe:2.3:a:zte:zxedm_iems:*:*:*:*:*:*:*:*) indicates the vulnerability affects the iEMS product line, though specific vulnerable version ranges are not disclosed in available data.

RemediationAI

Organizations using ZTE ZXEDM iEMS should immediately consult the official ZTE security bulletin at https://support.zte.com.cn/zte-iccp-isupport-webui/support/bulletin/security for vendor-provided patches and upgrade instructions. Patch availability per vendor advisory, though specific fixed version numbers are not included in current intelligence data. Until patches can be applied, implement compensating controls including: restrict network access to the iEMS portal to trusted management networks only via firewall rules or VPN requirements, enforce multi-factor authentication for all user accounts to mitigate password reset impact, monitor and audit user list API access for anomalous enumeration attempts, apply principle of least privilege to limit accounts with low-privilege access, and review all user account activity logs for unauthorized password reset operations that may have already occurred. Consider temporarily disabling the user list interface if business operations permit until patching is complete.

More in Zte

View all
CVE-2014-2321 CRITICAL POC
10.0 Mar 11

web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd

CVE-2015-7251 CRITICAL POC
9.8 Dec 30

ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE have a hardcoded password of root for the root account, whic

CVE-2015-7259 HIGH POC
8.8 Aug 24

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid

CVE-2015-7258 HIGH POC
8.8 Aug 24

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated users to obtain

CVE-2015-7248 HIGH POC
7.5 Dec 30

ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote attackers to discover usernames and password ha

CVE-2014-0329 CRITICAL POC
9.3 Feb 04

The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account

CVE-2015-7250 HIGH POC
7.5 Dec 30

Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE

CVE-2017-16953 HIGH POC
7.5 Dec 01

connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic Authentication, which allows remote attackers to mo

CVE-2015-7252 MEDIUM POC
6.1 Dec 30

Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_

CVE-2015-7257 HIGH POC
7.5 Aug 24

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrato

CVE-2018-7364 CRITICAL POC
9.8 Dec 07

All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control

CVE-2014-4018 HIGH POC
7.8 Jul 16

The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which

Share

CVE-2026-40436 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy