CVE-2026-40003

ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB download mode to write data to any location in BootROM runtime memory, thereby overwriting the stack, hijacking the execution flow, bypassing the Secure Boot signature verification mechanism, and achieving unauthorized code execution.

CVSS v3 5.1 MEDIUM

5.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.4 / Impact : 4.7

Attack Vector PHYSICAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2144487415169560645	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:zte:zx297520v3_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:zte:zx297520v3:-:*:*:*:*:*:*:*

History

13 May 2026, 19:19

Type	Values Removed	Values Added
References	~~() https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2144487415169560645 -~~	() https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2144487415169560645 - Vendor Advisory
First Time		Zte zx297520v3 Firmware Zte zx297520v3 Zte
CPE		cpe:2.3:h:zte:zx297520v3:-:::::::* cpe:2.3:o:zte:zx297520v3_firmware:-:::::::*

07 May 2026, 14:56

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-07 02:16

Updated : 2026-05-13 19:19

NVD link : CVE-2026-40003

Mitre link : CVE-2026-40003

CVE.ORG link : CVE-2026-40003

JSON object : View

Products Affected

zte

zx297520v3_firmware
zx297520v3

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2026-40003", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@zte.com.cn", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.1, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 0.4}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.9}]}, "published": "2026-05-07T02:16:03.453", "references": [{"url": "https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2144487415169560645", "tags": ["Vendor Advisory"], "source": "psirt@zte.com.cn"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@zte.com.cn", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB download mode to write data to any location in BootROM runtime memory, thereby overwriting the stack, hijacking the execution flow, bypassing the Secure Boot signature verification mechanism, and achieving unauthorized code execution."}], "lastModified": "2026-05-13T19:19:26.713", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zte:zx297520v3_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6E69F8B0-75E7-4BD9-A4C7-4F3CF428CEE7"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zte:zx297520v3:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B664C83E-0249-47BB-A3AD-1E9C4DF34206"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@zte.com.cn"}