Cyber Resilience

CVE-2026-40436

HighUpdated

Published: 13 April 2026

Published
13 April 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0004 12.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40436 is a high-severity an unspecified weakness vulnerability in Zte Zxesm Iems. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-40436 is a password reset vulnerability in the ZTE ZXEDM iEMS product, specifically affecting the cloud EMS portal's user management functions. The issue stems from inadequate access controls on the user list acquisition interface, allowing unauthorized reading of the full user list. With this information, attackers can subsequently reset passwords for any user, potentially enabling unauthorized operations on the system.

Exploitation requires network access, low privileges (PR:L), high attack complexity (AC:H), and user interaction (UI:R), with no change in scope (S:U). A low-privileged user could leverage the exposed user list endpoint to enumerate all accounts and initiate password resets, achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as scored at CVSS 7.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H). This could lead to full compromise of affected accounts and broader system control.

ZTE has published a security bulletin addressing this vulnerability at https://support.zte.com.cn/zte-iccp-isupport-webui/support/bulletin/security?lang=en_US&t=0.7465962531829456.

EU & UK References

Vulnerability details

The ZTE ZXEDM iEMS product has a password reset vulnerability for any user.Because the management of the cloud EMS portal does not properly control access to the user list acquisition function, attackers can read all user list information through the…

more

user list interface. Attackers can reset the passwords of obtained user information, causing risks such as unauthorized operations.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1087.004 Cloud Account Discovery
Adversaries may attempt to get a listing of cloud accounts.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Vulnerability in public-facing cloud EMS portal enables exploitation of public-facing application (T1190) for unauthorized cloud account discovery via user list (T1087.004) and account manipulation through password resets (T1098).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34472Same vendor: Zte
CVE-2025-26702Same vendor: Zte
CVE-2025-26705Same vendor: Zte
CVE-2025-66315Same vendor: Zte

Affected Assets

zte
zxesm iems
16.25.42.04

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations to prevent unauthorized access to the user list acquisition interface in the cloud EMS portal.

prevent

Applies least privilege to restrict low-privileged users from accessing sensitive user list and password reset functions.

prevent

Manages system accounts to authorize and control access to user management functions including user list retrieval and password resets.

References