Description
Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information.
Published: 2026-05-27
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a broken access control flaw that allows an attacker to read and modify configuration information beyond the permissions granted to their user account. This can expose sensitive settings or alter system behaviour, leading to unauthorized configuration changes. The reported CVSS score of 9.1 highlights the severity of missing or inappropriate access checks.

Affected Systems

Affected systems are ZTE’s ZXUniPOS NDS-LTE product. No specific version or build numbers are disclosed, so all deployments of this product should be assessed for the presence of the access‑control defect.

Risk and Exploitability

The risk level is high; with a CVSS score of 9.1 the flaw allows full disclosure and modification of configuration data. The flaw is not listed in CISA’s KEV catalog. Based on the description, the attack vector is likely remote via the web or network interface, though local exploitation is also plausible if an attacker can authenticate to the system. Because of the severity indicated by the CVSS score, organizations should treat this as a priority vulnerability.

Generated by OpenCVE AI on May 27, 2026 at 11:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑released firmware or patch that addresses the broken access control flaw on the ZTE ZXUniPOS NDS‑LTE device.
  • Restrict administrative interfaces to trusted networks and enforce strong authentication and role‑based access control to minimise the attack surface.
  • Conduct a review of user accounts and permissions, ensuring that only authorised personnel have configuration‑level access, and disable or delete unused accounts.

Generated by OpenCVE AI on May 27, 2026 at 11:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Zte
Zte zxunipos Nds-lte
Vendors & Products Zte
Zte zxunipos Nds-lte

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information.
Title Broken Access Control Vulnerabily in ZTE ZXUniPOS NDS-LTE product
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Zte Zxunipos Nds-lte
cve-icon MITRE

Status: PUBLISHED

Assigner: zte

Published:

Updated: 2026-05-27T08:19:15.774Z

Reserved: 2026-05-27T01:01:53.326Z

Link: CVE-2026-49002

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T09:16:32.253

Modified: 2026-05-27T09:16:32.253

Link: CVE-2026-49002

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T11:45:15Z

Weaknesses