Skip to main content

ZXUniPOS NDS-LTE CVE-2026-49002

| EUVDEUVD-2026-32152 CRITICAL
Improper Access Control (CWE-284)
2026-05-27 zte GHSA-54c6-h824-3w6w
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:19 vuln.today

DescriptionCVE.org

Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information.

AnalysisAI

Improper access control in ZTE ZXUniPOS NDS-LTE (V24.40.40 and earlier, and V24.30.40CP02 and earlier) lets remote unauthenticated attackers reach functionality that should be permission-gated, allowing them to read and modify system configuration data beyond their authorization. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:N/UI:N) with high confidentiality and integrity impact but no availability impact, and the issue is tagged as an authentication bypass. EPSS is very low at 0.03% (9th percentile) and there is no public exploit identified at time of analysis.

Technical ContextAI

ZXUniPOS NDS-LTE is a ZTE telecom/operator-side platform (the CPE cpe:2.3:a:zte:zxunipos_nds-lte identifies it as a ZTE application product). The root cause is classified as CWE-284 (Improper Access Control): the application does not effectively enforce that a requesting user holds the privileges required for a given operation, so authorization checks can be bypassed for sensitive views and writes. Because the vector is AV:N with PR:N, the affected access-control logic is reachable over the network without any valid account, meaning the missing check sits in a network-facing interface (management/web/API surface) rather than behind an authenticated session boundary.

RemediationAI

Patch available per vendor advisory: consult the ZTE security bulletin at https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/6783201397271515377 and upgrade ZXUniPOS NDS-LTE to the fixed release ZTE specifies (an exact patched version is not stated in the available data, so confirm the target build directly with ZTE rather than assuming one). Because the vulnerable interface is reachable over the network without authentication, until the fixed build is deployed restrict network reachability of the management/administrative interface to trusted operator management networks only (network ACLs / firewall rules limiting source addresses), and place it behind a VPN or jump host so it is not exposed to broader or untrusted segments - the trade-off is added operator-access friction and the need to maintain allowlists. Increase monitoring/audit logging of configuration read and write operations to detect unauthorized access or tampering, accepting the added log volume. These are compensating controls, not a substitute for the vendor patch.

Share

CVE-2026-49002 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy