Skip to main content

ZTE uSmartView CVE-2026-44406

| EUVDEUVD-2026-28329 MEDIUM
Uncontrolled Search Path Element (CWE-427)
2026-05-07 zte GHSA-wxrx-7hm4-9f7q
5.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.7 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 07:45 vuln.today
CVE Published
May 07, 2026 - 06:49 nvd
MEDIUM 5.7

DescriptionCVE.org

ZTE Cloud PC client uSmartView contains a DLL hijacking vulnerability; since uSmartViewServiceAgent.exe runs with SYSTEM privileges, successful hijacking enables local arbitrary code execution, privilege escalation, and memory corruption.contains a DLL hijacking vulnerability; since uSmartViewServiceAgent.exe runs with SYSTEM privileges, successful hijacking enables local arbitrary code execution, privilege escalation, and memory corruption.

AnalysisAI

DLL hijacking in ZTE Cloud PC client uSmartView allows unauthenticated local attackers to achieve arbitrary code execution and privilege escalation by planting a malicious DLL that is loaded by uSmartViewServiceAgent.exe running with SYSTEM privileges. The vulnerability requires local access but no authentication and affects multiple ZXCloud IRAI product versions. No public exploit code or active exploitation has been confirmed at this time.

Technical ContextAI

The vulnerability exploits DLL search order hijacking (CWE-427), a Windows-specific attack vector where an executable searches for dynamically linked libraries in predictable locations before checking protected system directories. The vulnerable component uSmartViewServiceAgent.exe operates with SYSTEM-level privileges, making it an attractive target for privilege escalation attacks. When the service attempts to load a required DLL, an attacker with local file system access can place a malicious DLL in a directory earlier in the search path, causing the service to execute attacker-controlled code with elevated privileges. The ZXCloud IRAI platform (as identified by CPE) is ZTE's cloud-based infrastructure solution; uSmartView is its client component responsible for remote desktop or application delivery functionality.

RemediationAI

Apply the security patch released by ZTE as detailed in the official bulletin at https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/8107253322107965601. Specific patched version numbers are not independently confirmed from available data; consult the ZTE support page for exact version numbers to upgrade to. As a compensating control pending patch deployment, restrict local file system write permissions on directories in the DLL search path for uSmartViewServiceAgent.exe, particularly the application installation directory and any paths referenced in the PATH environment variable. Implement application whitelisting policies to prevent unauthorized DLL loading. Disable or restrict access to the uSmartViewServiceAgent.exe service for users who do not require Cloud PC functionality, reducing the attack surface. Ensure users do not have administrator or system-level privileges on endpoints running uSmartView unless operationally necessary-the vulnerability requires local access, and standard user accounts with restricted write permissions significantly limit exploit feasibility.

More in Zte

View all
CVE-2014-2321 CRITICAL POC
10.0 Mar 11

web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd

CVE-2015-7251 CRITICAL POC
9.8 Dec 30

ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE have a hardcoded password of root for the root account, whic

CVE-2015-7259 HIGH POC
8.8 Aug 24

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid

CVE-2015-7258 HIGH POC
8.8 Aug 24

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated users to obtain

CVE-2015-7248 HIGH POC
7.5 Dec 30

ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote attackers to discover usernames and password ha

CVE-2014-0329 CRITICAL POC
9.3 Feb 04

The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account

CVE-2015-7250 HIGH POC
7.5 Dec 30

Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE

CVE-2017-16953 HIGH POC
7.5 Dec 01

connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic Authentication, which allows remote attackers to mo

CVE-2015-7252 MEDIUM POC
6.1 Dec 30

Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_

CVE-2015-7257 HIGH POC
7.5 Aug 24

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrato

CVE-2018-7364 CRITICAL POC
9.8 Dec 07

All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control

CVE-2014-4018 HIGH POC
7.8 Jul 16

The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which

Share

CVE-2026-44406 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy