CVE-2026-49002

CRITICAL

Broken Access Control Vulnerabily in ZTE ZXUniPOS NDS-LTE product

Title source: cna

Description

Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information.

References (1)

Core 1

Core References

https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/6783201397271515377

Scores

CVSS v3 9.1

EPSS 0.0031

EPSS Percentile 22.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-284

Status published

Products (3)

ZTE/ZXUniPOS NDS-LTE V24.30.40CP02 and earlier versions

ZTE/ZXUniPOS NDS-LTE V24.40.40 and earlier versions

ZTE/ZXUniPOS NDS-LTE Versions < V24.40.40CP01 (excluding V24.30.40CP03, V24.40.40CP01)

Published May 27, 2026

Tracked Since May 27, 2026