CVE-2026-40002 PUBLISHED

ZTE Red Magic 11 Pro (NX809J) contains a vulnerability that allows non-privileged applications to trigger sensitive operations.

Assigner: zte
Reserved: 08.04.2026 Published: 17.04.2026 Updated: 17.04.2026

Red Magic 11 Pro (NX809J) contains a vulnerability that allows non-privileged applications to trigger sensitive operations. The vulnerability stems from the lack of validation for applications accessing the service interface. Exploiting this vulnerability, an attacker can write files to specific partitions and set writable system properties.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
CVSS Score: 5

Attack Vector	Local	Scope	Changed
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	ZTE
Product	Red Magic 11 Pro (NX809J)
Versions	Default: unaffected affected from GEN_NEEA_NX809J V1.0.0B14MR1 to V1.0.0B14MR1 (incl.)

Credits

Christopher Nelson finder

References

https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/8224335890517684583

Problem Types

CWE-269: Improper Privilege Management CWE

Impacts

CAPEC-122 Privilege Abuse