Skip to main content

ZXUniPOS NDS-LTE CVE-2026-49001

| EUVDEUVD-2026-32109 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-27 zte GHSA-wggp-h5mg-v3hg
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:25 vuln.today

DescriptionCVE.org

Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampering with configuration data.

AnalysisAI

CSRF vulnerability in ZTE ZXUniPOS NDS-LTE enables an attacker to forge authenticated cross-site requests that modify system configuration data on behalf of a high-privilege user. The CVSS vector (PR:H/UI:R/AC:H) tightly constrains exploitation: a high-privilege administrator must be actively tricked into visiting attacker-controlled content while an authenticated session is live. No public exploit code exists and no KEV listing is present; EPSS at 0.02% (4th percentile) and SSVC Exploitation=none collectively signal negligible observed real-world exploitation activity.

Technical ContextAI

ZXUniPOS NDS-LTE is a ZTE network management application for LTE network domain solutions (CPE: cpe:2.3:a:zte:zxunipos_nds-lte:*:*:*:*:*:*:*:*). CWE-352 (Cross-Site Request Forgery) arises when a web application performs state-changing operations without verifying that the originating request came from the legitimate authenticated session rather than a forged cross-origin request. The root cause class indicates the application either lacks anti-CSRF tokens, does not validate the Origin/Referer header, or has a bypassable implementation of such controls. The AC:H component of the CVSS vector implies partial protections exist but are circumventable under specific conditions, consistent with CSRF defenses that are inconsistently applied across all configuration endpoints.

RemediationAI

Consult the ZTE security bulletin at https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/3711746568357343400 for the official patched release. An exact fixed version number is not confirmed in the available input data - the vendor advisory must be consulted directly to determine the target upgrade version for each affected branch (V24.30.40CP02 branch and V24.40.40 branch). As a compensating control pending patch application, restrict access to the ZXUniPOS NDS-LTE administrative web interface to trusted internal networks or VPN-only segments, which eliminates the browser-reachability condition required for CSRF. Enforcing SameSite=Strict or SameSite=Lax cookie attributes at the application or reverse proxy layer will directly mitigate CSRF exploitation paths, though this may affect cross-origin integrations. High-privilege administrator accounts should be educated on phishing and social engineering risks, given that UI:R is a hard prerequisite for exploitation.

Share

CVE-2026-49001 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy