{"api_version":"1","generated_at":"2026-06-03T19:00:29+00:00","cve":"CVE-2026-44409","urls":{"html":"https://cve.report/CVE-2026-44409","api":"https://cve.report/api/cve/CVE-2026-44409.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-44409","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-44409"},"summary":{"title":"Information disclosure vulnerability in ZTE MU5250","description":"There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control mechanism, attackers can obtain information without authorization, causing the risk of information disclosure.","state":"PUBLISHED","assigner":"zte","published_at":"2026-05-22 05:16:26","updated_at":"2026-06-03 01:49:05"},"problem_types":["CWE-200","CWE-862","CWE-200 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"psirt@zte.com.cn","type":"Secondary","score":"5.7","severity":"MEDIUM","vector":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"5.7","severity":"MEDIUM","vector":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"NONE","baseScore":5.7,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/3711746568357343342","name":"https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/3711746568357343342","refsource":"psirt@zte.com.cn","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-44409","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44409","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"ZTE","product":"MU5250","version":"affected BD_FLYMODEMMU5250V1.0.0B27","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Duc Anh Nguyen （from NTCS&TinyxLab）","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"44409","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"zte","cpe5":"mu5250","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"44409","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"zte","cpe5":"mu5250_firmware","cpe6":"1.0.0b27","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"44409","cve":"CVE-2026-44409","epss":"0.000220000","percentile":"0.064450000","score_date":"2026-05-28","updated_at":"2026-05-29 00:13:16"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-44409","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-05-22T13:47:06.737611Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-22T13:47:14.731Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"MU5250","vendor":"ZTE","versions":[{"status":"affected","version":"BD_FLYMODEMMU5250V1.0.0B27"}]}],"credits":[{"lang":"en","type":"finder","value":"Duc Anh Nguyen （from NTCS&TinyxLab）"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control mechanism, attackers can obtain information without authorization, causing the risk of information disclosure.</p>"}],"value":"There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control mechanism, attackers can obtain information without authorization, causing the risk of information disclosure."}],"impacts":[{"capecId":"CAPEC-1","descriptions":[{"lang":"en","value":"CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"NONE","baseScore":5.7,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-200","description":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-22T03:49:56.231Z","orgId":"6786b568-6808-4982-b61f-398b0d9679eb","shortName":"zte"},"references":[{"url":"https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/3711746568357343342"}],"source":{"discovery":"UNKNOWN"},"title":"Information disclosure vulnerability in ZTE MU5250","x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"6786b568-6808-4982-b61f-398b0d9679eb","assignerShortName":"zte","cveId":"CVE-2026-44409","datePublished":"2026-05-22T03:49:56.231Z","dateReserved":"2026-05-06T08:50:27.676Z","dateUpdated":"2026-05-22T13:47:14.731Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-22 05:16:26","lastModifiedDate":"2026-06-03 01:49:05","problem_types":["CWE-200","CWE-862","CWE-200 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":{"cvssMetricV31":[{"source":"psirt@zte.com.cn","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:zte:mu5250_firmware:1.0.0b27:*:*:*:*:*:*:*","matchCriteriaId":"AEB27476-B25E-4A59-A6A4-2849EE48B757"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:zte:mu5250:-:*:*:*:*:*:*:*","matchCriteriaId":"C007E6FD-A7A7-49E9-8957-45FA167F9784"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"44409","Ordinal":"1","Title":"Information disclosure vulnerability in ZTE MU5250","CVE":"CVE-2026-44409","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"44409","Ordinal":"1","NoteData":"There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control mechanism, attackers can obtain information without authorization, causing the risk of information disclosure.","Type":"Description","Title":"Information disclosure vulnerability in ZTE MU5250"}]}}}