Cyber Resilience

CVE-2026-44406

Medium

Published: 07 May 2026

Published
07 May 2026
Modified
08 May 2026
KEV Added
Patch
CVSS Score v3.1 5.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
EPSS Score 0.0016 5.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-44406 is a medium-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Zte Zxcloud Irai. Its CVSS base score is 5.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ZTE Cloud PC client uSmartView contains a DLL hijacking vulnerability; since uSmartViewServiceAgent.exe runs with SYSTEM privileges, successful hijacking enables local arbitrary code execution, privilege escalation, and memory corruption.contains a DLL hijacking vulnerability; since uSmartViewServiceAgent.exe runs with SYSTEM privileges, successful hijacking…

more

enables local arbitrary code execution, privilege escalation, and memory corruption.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.001 DLL Stealth
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE directly describes DLL hijacking (CWE-427) in a SYSTEM-privileged executable, enabling code execution and local privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

zte
zxcloud irai
7.23.20 — 7.25.43

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References