{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40436", "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "state": "PUBLISHED", "assignerShortName": "zte", "dateReserved": "2026-04-13T03:09:12.226Z", "datePublished": "2026-04-13T06:31:49.372Z", "dateUpdated": "2026-04-13T13:01:38.521Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte", "dateUpdated": "2026-04-13T06:31:49.372Z"}, "title": "ZTE ZXEDM iEMS product has a password reset vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE\u2011269 Improper Privilege Management"}]}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "affected": [{"vendor": "ZTE", "product": "ZXEDM iEMS", "versions": [{"status": "affected", "version": "ElasticNet_UME_R32_V16.25.42.04"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ZTE ZXEDM iEMS product has a password reset vulnerability for any user.Because the management of the cloud EMS portal does not properly control access to the user list acquisition function, attackers can read all user list information through the user list interface. Attackers can reset the passwords of obtained user information, causing risks such as unauthorized operations.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The ZTE ZXEDM iEMS product has a password reset vulnerability for any user.Because the management of the cloud EMS portal does not properly control access to the user list acquisition function, attackers can read all user list information through the user list interface. Attackers can reset the passwords of obtained user information, causing risks such as unauthorized operations."}]}], "references": [{"url": "https://support.zte.com.cn/zte-iccp-isupport-webui/support/bulletin/security?lang=en_US&t=0.7465962531829456"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Wenwei Shi", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T13:01:31.744256Z", "id": "CVE-2026-40436", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:01:38.521Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40436", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T13:01:31.744256Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:01:35.001Z"}}], "cna": {"title": "ZTE ZXEDM iEMS product has a password reset vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Wenwei Shi"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ZTE", "product": "ZXEDM iEMS", "versions": [{"status": "affected", "version": "ElasticNet_UME_R32_V16.25.42.04"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://support.zte.com.cn/zte-iccp-isupport-webui/support/bulletin/security?lang=en_US&t=0.7465962531829456"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "The ZTE ZXEDM iEMS product has a password reset vulnerability for any user.Because the management of the cloud EMS portal does not properly control access to the user list acquisition function, attackers can read all user list information through the user list interface. Attackers can reset the passwords of obtained user information, causing risks such as unauthorized operations.", "supportingMedia": [{"type": "text/html", "value": "The ZTE ZXEDM iEMS product has a password reset vulnerability for any user.Because the management of the cloud EMS portal does not properly control access to the user list acquisition function, attackers can read all user list information through the user list interface. Attackers can reset the passwords of obtained user information, causing risks such as unauthorized operations.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE\u2011269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte", "dateUpdated": "2026-04-13T06:31:49.372Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40436", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:01:38.521Z", "dateReserved": "2026-04-13T03:09:12.226Z", "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "datePublished": "2026-04-13T06:31:49.372Z", "assignerShortName": "zte"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ZTE ZXEDM iEMS product has a password reset vulnerability for any user.Because the management of the cloud EMS portal does not properly control access to the user list acquisition function, attackers can read all user list information through the user list interface. Attackers can reset the passwords of obtained user information, causing risks such as unauthorized operations."}], "id": "CVE-2026-40436", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "psirt@zte.com.cn", "type": "Secondary"}]}, "published": "2026-04-13T07:16:50.393", "references": [{"source": "psirt@zte.com.cn", "url": "https://support.zte.com.cn/zte-iccp-isupport-webui/support/bulletin/security?lang=en_US&t=0.7465962531829456"}], "sourceIdentifier": "psirt@zte.com.cn", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "ElasticNet_UME_R32_V16.25.42.04"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ZXEDM iEMS", "source": "cna", "vendor": "ZTE"}, "product": "zxedm_iems", "vendor": "zte"}], "analysis": {"en": {"generated_at": "2026-04-13T08:21:40.042435+00:00", "value": {"mitigation_remediation": ["Contact ZTE support to obtain and deploy the latest security patch or firmware update for ZXEDM iEMS", "Restrict access to the user list and password reset endpoints to privileged administrative accounts only", "Disable or secure the password reset feature until proper authentication controls are in place", "Implement monitoring on the EMS portal to detect anomalous password reset activity and unauthorized changes", "Apply secure configuration hardening guidelines for cloud-managed network devices"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access via Password Reset"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to ZTE's ZXEDM iEMS product. No specific versions are listed, so all deployed instances of this product are potentially affected until a patch is applied.", "description_and_impact": "The ZTE ZXEDM iEMS product allows any user to reset passwords because the cloud EMS portal does not enforce proper access control over the user list acquisition function. An attacker who can read the user list can then reset the passwords of the returned accounts, granting the attacker unauthorized operations on the system. This flaw enables attackers to elevate privileges or take full control of managed devices without legitimate credentials.", "risk_and_exploitability": "The CVSS base score of 7.1 indicates a high severity vulnerability. Exploitation requires access to the cloud EMS portal; the description suggests it can be performed remotely via that interface. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog, but its high impact and lack of controls make it a significant risk for operators who have not yet applied a vendor fix."}}}}, "created": "2026-04-13T12:36:52.431642+00:00", "updated": "2026-04-13T12:52:40.671300+00:00", "vendors": ["zte", "zte$PRODUCT$zxedm_iems"], "weaknesses": ["CWE-284"]}