Severity by source
AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
ZTE Cloud PC client uSmartView contains a DLL hijacking vulnerability; since uSmartViewServiceAgent.exe runs with SYSTEM privileges, successful hijacking enables local arbitrary code execution, privilege escalation, and memory corruption.contains a DLL hijacking vulnerability; since uSmartViewServiceAgent.exe runs with SYSTEM privileges, successful hijacking enables local arbitrary code execution, privilege escalation, and memory corruption.
AnalysisAI
DLL hijacking in ZTE Cloud PC client uSmartView allows unauthenticated local attackers to achieve arbitrary code execution and privilege escalation by planting a malicious DLL that is loaded by uSmartViewServiceAgent.exe running with SYSTEM privileges. The vulnerability requires local access but no authentication and affects multiple ZXCloud IRAI product versions. No public exploit code or active exploitation has been confirmed at this time.
Technical ContextAI
The vulnerability exploits DLL search order hijacking (CWE-427), a Windows-specific attack vector where an executable searches for dynamically linked libraries in predictable locations before checking protected system directories. The vulnerable component uSmartViewServiceAgent.exe operates with SYSTEM-level privileges, making it an attractive target for privilege escalation attacks. When the service attempts to load a required DLL, an attacker with local file system access can place a malicious DLL in a directory earlier in the search path, causing the service to execute attacker-controlled code with elevated privileges. The ZXCloud IRAI platform (as identified by CPE) is ZTE's cloud-based infrastructure solution; uSmartView is its client component responsible for remote desktop or application delivery functionality.
RemediationAI
Apply the security patch released by ZTE as detailed in the official bulletin at https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/8107253322107965601. Specific patched version numbers are not independently confirmed from available data; consult the ZTE support page for exact version numbers to upgrade to. As a compensating control pending patch deployment, restrict local file system write permissions on directories in the DLL search path for uSmartViewServiceAgent.exe, particularly the application installation directory and any paths referenced in the PATH environment variable. Implement application whitelisting policies to prevent unauthorized DLL loading. Disable or restrict access to the uSmartViewServiceAgent.exe service for users who do not require Cloud PC functionality, reducing the attack surface. Ensure users do not have administrator or system-level privileges on endpoints running uSmartView unless operationally necessary-the vulnerability requires local access, and standard user accounts with restricted write permissions significantly limit exploit feasibility.
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE have a hardcoded password of root for the root account, whic
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated users to obtain
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote attackers to discover usernames and password ha
The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account
Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE
connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic Authentication, which allows remote attackers to mo
Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrato
All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control
The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28329
GHSA-wxrx-7hm4-9f7q