Skip to main content

ZXUniPOS NDS-LTE EUVDEUVD-2026-31809

| CVE-2026-44410 LOW
Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240)
2026-05-26 zte GHSA-rv22-cchr-w8fp
3.8
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.8 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 12:55 vuln.today

DescriptionCVE.org

This vulnerability stems from a business logic flaw.Attackers can exploit legitimate application functions in unintended and abnormal ways, deviating from the designer's expectations, to carry out malicious attacks.

AnalysisAI

Business logic abuse in ZTE ZXUniPOS NDS-LTE (versions V24.40.40 and V24.30.40CP02) allows a highly privileged authenticated network attacker to manipulate legitimate application functions in ways unintended by the designer, yielding limited integrity and availability degradation. The CVSS score of 3.8 (Low) combined with an EPSS exploitation probability of 0.03% (7th percentile) and SSVC exploitation status of 'none' collectively indicate minimal immediate real-world threat. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Technical ContextAI

ZTE ZXUniPOS NDS-LTE is a telecommunications network management and provisioning platform targeting LTE network infrastructure, identified by CPE cpe:2.3:a:zte:zxunipos_nds-lte:*:*:*:*:*:*:*:*. The assigned CWE is CWE-1240 ('Use of a Risky Cryptographic Primitive'), which describes weaknesses arising from reliance on cryptographic primitives with known insecure properties. However, the CVE description characterizes this as a 'business logic flaw' - a category more typically associated with CWE-840 (Business Logic Errors) - where an attacker exploits legitimate application workflows in unintended sequences or with abnormal inputs to produce unauthorized outcomes. This CWE-to-description discrepancy should be verified with the vendor; the technical root cause may involve a flawed cryptographic control embedded within a business-logic-governed workflow, or the CWE assignment may be imprecise. The tags label this 'Information Disclosure', yet the CVSS vector shows C:N (no confidentiality impact), indicating a further inconsistency between metadata sources.

RemediationAI

Consult the ZTE security bulletin at https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/3711746568357343383 for vendor-issued guidance; a patched release version has not been independently confirmed from the available reference data, so administrators should contact ZTE support directly to obtain the remediated build. As a compensating control, strictly enforce the principle of least privilege to reduce the number of accounts holding the high-privilege level required to trigger this flaw - this directly negates the primary exploitation prerequisite. Additionally, enable audit logging for privileged application actions so that abnormal usage patterns deviating from expected business workflows can be detected. Network segmentation to restrict access to the NDS-LTE management interface to only authorized administrative subnets reduces the network-accessible attack surface. These controls do not eliminate the vulnerability but substantially raise the bar for exploitation while a vendor patch is applied.

Share

EUVD-2026-31809 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy