Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
The ZTE ZXEDM iEMS product has a password reset vulnerability for any user.Because the management of the cloud EMS portal does not properly control access to the user list acquisition function, attackers can read all user list information through the user list interface. Attackers can reset the passwords of obtained user information, causing risks such as unauthorized operations.
AnalysisAI
Password reset vulnerability in ZTE ZXEDM iEMS cloud management portal allows authenticated attackers with low privileges to enumerate all user accounts and reset arbitrary user passwords. This authentication bypass enables unauthorized administrative operations across the entire EMS system. Attack requires user interaction and moderate complexity (CVSS AC:H), but no public exploit identified at time of analysis. CVSS 7.1 reflects high confidentiality, integrity, and availability impact within the vulnerable component's scope.
Technical ContextAI
ZTE ZXEDM iEMS (Integrated Element Management System) is a cloud-based network management platform for telecommunications infrastructure. The vulnerability stems from inadequate access controls on the user enumeration API endpoint within the cloud EMS portal. The broken access control allows low-privileged authenticated users to bypass intended authorization boundaries and retrieve the complete user directory, including account details necessary for password reset operations. This represents a classic horizontal privilege escalation combined with insecure direct object reference (IDOR) pattern, where authentication alone is insufficient and proper authorization checks are missing on sensitive user management functions. The affected CPE (cpe:2.3:a:zte:zxedm_iems:*:*:*:*:*:*:*:*) indicates the vulnerability affects the iEMS product line, though specific vulnerable version ranges are not disclosed in available data.
RemediationAI
Organizations using ZTE ZXEDM iEMS should immediately consult the official ZTE security bulletin at https://support.zte.com.cn/zte-iccp-isupport-webui/support/bulletin/security for vendor-provided patches and upgrade instructions. Patch availability per vendor advisory, though specific fixed version numbers are not included in current intelligence data. Until patches can be applied, implement compensating controls including: restrict network access to the iEMS portal to trusted management networks only via firewall rules or VPN requirements, enforce multi-factor authentication for all user accounts to mitigate password reset impact, monitor and audit user list API access for anomalous enumeration attempts, apply principle of least privilege to limit accounts with low-privilege access, and review all user account activity logs for unauthorized password reset operations that may have already occurred. Consider temporarily disabling the user list interface if business operations permit until patching is complete.
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE have a hardcoded password of root for the root account, whic
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated users to obtain
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote attackers to discover usernames and password ha
The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account
Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE
connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic Authentication, which allows remote attackers to mo
Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrato
All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control
The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21883