Cyber Posture

CVE-2025-26702

Medium

Published: 11 March 2025

Published
11 March 2025
Modified
19 March 2025
KEV Added
Patch
CVSS Score 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0020 41.2th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26702 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Zte Goldendb. Its CVSS base score is 4.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mandates system-level validation of information inputs to prevent improper input validation and subsequent data manipulation leading to DoS in GoldenDB.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, patching, and verification of flaws like this improper input validation vulnerability in affected GoldenDB versions.

SC-5 Denial-of-service Protection good match
preventdetect

Protects against the high availability impact (A:H) by limiting and identifying denial-of-service effects from privileged network-based input manipulation.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Improper input validation allows privileged network attackers to manipulate input data causing application/system crash and denial of service, directly mapping to application or system exploitation for endpoint DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Input Validation vulnerability in ZTE GoldenDB allows Input Data Manipulation.This issue affects GoldenDB: from 6.1.03 through 6.1.03.04.

Deeper analysisAI

CVE-2025-26702 is an Improper Input Validation vulnerability in ZTE GoldenDB that allows Input Data Manipulation. The issue affects GoldenDB versions from 6.1.03 through 6.1.03.04 and was published on 2025-03-11. It is associated with CWE-20 and carries a CVSS v3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Exploitation requires high privileges (PR:H) and can be performed over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Attackers with privileged access can trigger the vulnerability within the unchanged scope (S:U), resulting in high impact to availability (A:H) such as denial of service, while confidentiality (C:N) and integrity (I:N) remain unaffected.

Mitigation details are available in the ZTE security bulletin at https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/1820079027271819342.

Details

CWE(s)
CWE-20NVD-CWE-noinfo

Affected Products

zte
goldendb
6.1.03 — 6.1.03.05

CVEs Like This One

CVE-2025-26705Same product: Zte Goldendb
CVE-2026-27623Shared CWE-20
CVE-2025-61614Shared CWE-20
CVE-2025-69278Shared CWE-20
CVE-2026-28894Shared CWE-20
CVE-2025-57835Shared CWE-20
CVE-2026-30078Shared CWE-20
CVE-2025-61611Shared CWE-20
CVE-2026-26935Shared CWE-20
CVE-2025-59032Shared CWE-20

References