CVE-2026-40003

MEDIUM

ZTE ZX297520V3 BootROM - USB Arbitrary Memory Write

Title source: manual

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-40003. PoCs published by rva3, XZ1r0.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-40003, an arbitrary memory write vulnerability in the ZXIC/Sanechips ZX297520V3 SoC BootROM. The exploit leverages the USB download mode to achieve arbitrary memory writes and execute payloads by manipulating the stack and return address.

Description

ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB download mode to write data to any location in BootROM runtime memory, thereby overwriting the stack, hijacking the execution flow, bypassing the Secure Boot signature verification mechanism, and achieving unauthorized code execution.

Exploits (2)

nomisec WORKING POC 6 stars

by rva3 · poc

https://github.com/rva3/CVE-2026-40003

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-40003, an arbitrary memory write vulnerability in the ZXIC/Sanechips ZX297520V3 SoC BootROM. The exploit leverages the USB download mode to achieve arbitrary memory writes and execute payloads by manipulating the stack and return address.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ZXIC/Sanechips ZX297520V3 SoC BootROM

No auth needed

Prerequisites: Physical access or USB communication with the target device · Device in a state where BootROM falls back to USB download mode

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 08, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-40003

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-40003, targeting a ZXIC/Sanechips BootROM vulnerability. The exploit leverages USB communication to achieve arbitrary memory write, allowing execution of unsigned code on the ZX297520V3 SoC.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ZXIC/Sanechips ZX297520V3 SoC BootROM

No auth needed

Prerequisites: USB access to the target device · Device in USB download mode

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 21, 2026 Full analysis →

References (1)

Core 1

Core References

https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2144487415169560645

Scores

CVSS v3 5.1

EPSS 0.0001

EPSS Percentile 1.0%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-787

Status published

Products (2)

ZTE/ZX297520V3 BootROM 7520V3 chip

zte/zx297520v3_firmware

Published May 07, 2026

Tracked Since May 07, 2026