Broken Access Control Vulnerabily in ZTE ZXUniPOS NDS-LTE product
Summary
| CVE | CVE-2026-49002 |
|---|---|
| State | PUBLISHED |
| Assigner | zte |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-27 09:16:32 UTC |
| Updated | 2026-05-27 19:59:03 UTC |
| Description | Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information. |
Risk And Classification
Primary CVSS: v3.1 9.1 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS: 0.000310000 probability, percentile 0.093320000 (date 2026-06-01)
Problem Types: CWE-284 | CWE-284 CWE-284: Improper Access Control
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | CNA | CVSS | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | ZTE | ZXUniPOS NDS-LTE | affected V24.30.40CP02 and earlier versions | Not specified |
| CNA | ZTE | ZXUniPOS NDS-LTE | affected V24.40.40 and earlier versions | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/6783201397271515377 | [email protected] | support.zte.com.cn | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Venom Nguyen (en)
There are currently no legacy QID mappings associated with this CVE.