CVE-2026-44409 ZTE CVE debrief

Who should care

Security and network teams responsible for ZTE MU5250 deployments should review this CVE, especially where the device can be reached by adjacent-network users with low privileges or where sensitive information is handled through the device.

Technical summary

The public record ties the issue to ZTE MU5250 and an access-control misconfiguration that can expose information to unauthorized users. NVD metadata lists CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and attributes the reference to ZTE PSIRT. The supplied record does not include an affected-version range, exploit details, or a confirmed remediation identifier.

Defensive priority

Medium. Prioritize this as a confidentiality exposure risk, especially for deployments that store, relay, or expose sensitive operational data through MU5250 devices.

Recommended defensive actions

• Review the linked ZTE PSIRT bulletin for affected models, versions, and any vendor remediation guidance.
• Inventory ZTE MU5250 deployments and confirm whether access-control settings could expose information to unintended users.
• Restrict access to the device and any related management interfaces to the smallest necessary set of users and networks.
• Monitor logs and telemetry for unexpected information-access activity involving MU5250 devices.
• Apply vendor-provided updates or mitigations as soon as they are published by the vendor.

Evidence notes

This debrief is based only on the supplied CVE/NVD record and the referenced ZTE PSIRT bulletin URL. The NVD metadata provides the CVSS vector AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N and weakness CWE-200, while the public description explicitly names ZTE MU5250. Vendor attribution in the supplied dataset is low confidence, so the product name is taken from the CVE description rather than from a resolved vendor field.

Official resources