CVE-2026-49001 PUBLISHED

Cross-Site Request Forgery (CSRF) vulnerability in ZTE ZXUniPOS NDS-LTE product

Assigner: zte
Reserved: 27.05.2026 Published: 27.05.2026 Updated: 27.05.2026

Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampering with configuration data.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	High	Integrity Impact	High
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	ZTE
Product	ZXUniPOS NDS-LTE
Versions	Default: unaffected Version V24.40.40 and earlier versions is affected Version V24.30.40CP02 and earlier versions is affected

Credits

Venom Nguyen finder

References

https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/3711746568357343400

Problem Types

CWE-352 Cross-Site request forgery (CSRF) CWE

Impacts

CAPEC-62 Cross Site Request Forgery