PatchSiren

ZTE CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH ZTE CVE published 2026-05-27

CVE-2026-49000

A medium-severity vulnerability (CVSS 5.3) involving insecure cryptographic practices was published on May 27, 2026. The issue stems from improper selection of encryption algorithms, inadequate key management, or flawed implementation—such as hard-coded keys or weak encryption—that could lead to data leakage or tampering. The vulnerability is associated with ZTE based on vendor evidence in the source refe [truncated]

MEDIUM ZTE CVE published 2026-05-27

CVE-2026-48999

CVE-2026-48999 is a stored cross-site scripting (XSS) vulnerability with a CVSS 3.1 score of 5.3 (Medium). The vulnerability allows attackers to inject malicious JavaScript into target systems, which executes in victims' browsers when they access affected pages. This enables session hijacking, cookie theft, and page content tampering. The stored nature of the attack provides broad scope and strong conceal [truncated]

LOW ZTE CVE published 2026-05-26

CVE-2026-44410

A business logic vulnerability in ZTE products allows authenticated administrators to exploit legitimate application functions in unintended ways. The flaw stems from improper implementation of business logic controls (CWE-1240), enabling malicious use of authorized capabilities outside their designed scope. The vulnerability requires high privileges (PR:H) with network access, and has low impact on integ [truncated]

MEDIUM ZTE CVE published 2026-05-22

CVE-2026-44409

CVE-2026-44409 is a medium-severity information disclosure issue affecting ZTE MU5250. The CVE description says improper configuration of the access control mechanism can let attackers obtain information without authorization. NVD records the issue with CVSS 3.1 vector AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating adjacent-network access, low privileges, no user interaction, and high confidentiality impact.

MEDIUM ZTE CVE published 2026-05-19

CVE-2026-44408

A medium-severity unauthorized access vulnerability exists in the ZTE MU5250, a mobile broadband device. The vulnerability stems from improper permission controls on the Web management interface, allowing an attacker with local network access and low privileges to modify device configuration without proper authorization. The CVSS 3.1 vector (AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H) indicates attack complexity [truncated]