CVE-2026-44408 PUBLISHED

Unauthorized access vulnerability in ZTE MU5250

Assigner: zte
Reserved: 06.05.2026 Published: 19.05.2026 Updated: 19.05.2026

There is an unauthorized access vulnerability in ZTE MU5250. Due to improper permission control of the Web interface, an unauthorized attacker can modify configuration through the interface.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
CVSS Score: 6.3

Attack Vector	Adjacent Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	ZTE
Product	MU5250
Versions	Default: unaffected Version BD_FLYMODEMMU5250V1.0.0B27 is affected

Credits

Duc Anh Nguyen from NTCS&TinyxLab finder

References

https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2657904255874650158

Problem Types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE

Impacts

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs