Description
Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampering with configuration data.
Published: 2026-05-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CSRF flaw that allows an attacker to cause a user—who is already authenticated—to execute unintended operations within the ZTE ZXUniPOS NDS‑LTE system, such as modifying configuration data. The primary impact is unauthorized configuration changes, which could alter system behavior or compromise service availability. The weakness is classified as CWE‑352, a classic CSRF vulnerability that exploits the lack of proper request‑validation mechanisms.

Affected Systems

ZTE ZXUniPOS NDS‑LTE management interface is affected. No explicit version information is provided; any deployment of the ZXUniPOS NDS‑LTE product is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, with attackers needing a user’s authenticated session and ability to craft a cross‑site request. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no currently known widespread exploitation. The likely attack path involves an attacker hosting a malicious web page that issues forged requests while a legitimate user is logged into the POS management console. Successful exploitation would result in unauthorized configuration changes, potentially disrupting operations.

Generated by OpenCVE AI on May 27, 2026 at 10:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑issued patch or update as soon as it becomes available.
  • Implement anti‑CSRF tokens in all state‑changing requests to ensure requests originate from legitimate sessions.
  • Restrict the management interface to a trusted network segment or firewall‑protected VLAN to limit exposure to unauthenticated users.

Generated by OpenCVE AI on May 27, 2026 at 10:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Zte
Zte zxunipos Nds-lte
Vendors & Products Zte
Zte zxunipos Nds-lte

Wed, 27 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampering with configuration data.
Title Cross-Site Request Forgery (CSRF) vulnerability in ZTE ZXUniPOS NDS-LTE product
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L'}

Subscriptions

Zte Zxunipos Nds-lte
cve-icon MITRE

Status: PUBLISHED

Assigner: zte

Published:

Updated: 2026-05-27T13:39:25.842Z

Reserved: 2026-05-27T01:01:53.326Z

Link: CVE-2026-49001

cve-icon Vulnrichment

Updated: 2026-05-27T13:39:21.256Z

cve-icon NVD

Status : Received

Published: 2026-05-27T08:16:44.460

Modified: 2026-05-27T08:16:44.460

Link: CVE-2026-49001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T12:45:32Z

Weaknesses