Description
ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB download mode to write data to any location in BootROM runtime memory, thereby overwriting the stack, hijacking the execution flow, bypassing the Secure Boot signature verification mechanism, and achieving unauthorized code execution.
Published: 2026-05-07
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the BootROM of the ZTE ZX297520V3 and allows an attacker to perform arbitrary memory writes when the device is in USB download mode. By exploiting the lack of target address validation, the attacker can overwrite arbitrary locations in runtime memory, including the stack. This manipulation can hijack the execution flow, bypass the Secure Boot signature verification, and ultimately grant the attacker the ability to run malicious code on the device. The weakness corresponds to an unchecked write leading to potential compromise of confidentiality, integrity, or availability of the system. The described impact is the ability to execute unauthorized code with the privilege level of the BootROM.

Affected Systems

The affected system is the ZTE ZX297520V3 BootROM. No additional versions or vendors are listed beyond the single product identifier ZTE:ZX297520V3 BootROM.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the exploit probability (EPSS) is currently not available. This vulnerability is not included in the CISA KEV catalog. The attacker would need physical access or the ability to connect a USB device to the target device, or the device would need to be in a state that allows USB download mode. The lack of address validation directly enables arbitrary memory modification, making exploitation straightforward once the attack vector is achieved. Due to the moderate CVSS score, organizations should assess the criticality of the device in their environment before determining the urgency of mitigation.

Generated by OpenCVE AI on May 7, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Scan for and apply any ZTE firmware updates that address the BootROM issue.
  • Disable or restrict USB download mode on all ZTE ZX297520V3 devices, ensuring that only authenticated and trusted USB devices can interface with the system.
  • Configure and enforce Secure Boot policies so that even if an attacker manipulates the BootROM runtime memory, the system will reject unsigned or tampered firmware during the boot process.

Generated by OpenCVE AI on May 7, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 02:00:00 +0000

Type Values Removed Values Added
Description ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB download mode to write data to any location in BootROM runtime memory, thereby overwriting the stack, hijacking the execution flow, bypassing the Secure Boot signature verification mechanism, and achieving unauthorized code execution.
Title USB-based arbitrary memory write vulnerability in ZTE ZX297520V3 soc BootROM
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: zte

Published:

Updated: 2026-05-07T01:15:24.863Z

Reserved: 2026-04-08T07:51:26.675Z

Link: CVE-2026-40003

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T02:16:03.453

Modified: 2026-05-07T02:16:03.453

Link: CVE-2026-40003

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T04:00:14Z

Weaknesses