CVE-2026-49001

MEDIUM

Cross-Site Request Forgery (CSRF) vulnerability in ZTE ZXUniPOS NDS-LTE product

Title source: cna

Description

Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampering with configuration data.

References (1)

Core 1

Core References

https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/3711746568357343400

Scores

CVSS v3 5.3

EPSS 0.0011

EPSS Percentile 1.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (3)

ZTE/ZXUniPOS NDS-LTE V24.30.40CP02 and earlier versions

ZTE/ZXUniPOS NDS-LTE V24.40.40 and earlier versions

ZTE/ZXUniPOS NDS-LTE Versions < V24.40.40CP01 (excluding V24.30.40CP03, V24.40.40CP01)

Published May 27, 2026

Tracked Since May 27, 2026