CVE-2026-40436
Received Received - Intake
Unauthorized Password Reset via User List Exposure in ZTE ZXEDM iEMS

Publication date: 2026-04-13

Last updated on: 2026-05-06

Assigner: ZTE Corporation

Description
The ZTE ZXEDM iEMS product has a password reset vulnerability for any user.Because the management of the cloud EMS portal does not properly control access to the user list acquisition function, attackers can read all user list information through the user list interface. Attackers can reset the passwords of obtained user information, causing risks such as unauthorized operations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-05-06
Generated
2026-06-10
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-09
NVD
CVE-2026-40436
EUVD
EUVD-2026-21883
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zte zxedm_iems 16.25.42.04
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the ZTE ZXEDM iEMS product's cloud EMS portal where the management does not properly control access to the user list acquisition function.

Because of this, attackers can read all user list information through the user list interface.

With the obtained user information, attackers can reset the passwords of those users, leading to unauthorized operations.

Impact Analysis

This vulnerability can lead to unauthorized access and control over user accounts because attackers can reset passwords without proper authorization.

Such unauthorized operations can compromise the confidentiality, integrity, and availability of the system.

The CVSS score of 7.1 indicates a high severity impact, meaning the vulnerability poses significant risks if exploited.

Compliance Impact

The vulnerability allows attackers to read all user list information and reset passwords without proper authorization. This unauthorized access and control over user accounts can lead to data breaches and unauthorized operations, which may violate data protection requirements under standards like GDPR and HIPAA.

Specifically, the exposure of user information and the ability to reset passwords could compromise the confidentiality, integrity, and availability of personal data, potentially resulting in non-compliance with regulations that mandate strict access controls and protection of sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40436. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart