CVE-2026-44409 PUBLISHED

Information disclosure vulnerability in ZTE MU5250

Assigner: zte
Reserved: 06.05.2026 Published: 22.05.2026 Updated: 22.05.2026

There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control mechanism, attackers can obtain information without authorization, causing the risk of information disclosure.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 5.7

Attack Vector	Adjacent Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	ZTE
Product	MU5250
Versions	Default: unaffected Version BD_FLYMODEMMU5250V1.0.0B27 is affected

Credits

Duc Anh Nguyen （from NTCS&TinyxLab） finder

References

https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/3711746568357343342

Problem Types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE

Impacts

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs