CVE-2025-26710 is an information disclosure vulnerability identified in the ZTE T5400 product, specifically version CR_UNIAGT5400V1.0.0B02. The root cause of this vulnerability is an improper configuration of the access control mechanism, which allows unauthorized actors to access certain interfaces and retrieve sensitive information without proper authorization. This vulnerability is classified under CWE-200, which pertains to the exposure of sensitive information to unauthorized entities. The CVSS v3.1 base score is 3.5, indicating a low severity level. The vector details specify that the attack vector is adjacent network (AV:A), with low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and the scope is unchanged (S:U). The impact is limited to confidentiality (C:L) with no impact on integrity or availability. There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability could potentially allow attackers with some level of access (adjacent network and low privileges) to extract sensitive data from the device interfaces due to misconfigured access controls, which could include configuration details, operational data, or other sensitive information handled by the ZTE T5400 device.

For European organizations using the ZTE T5400, this vulnerability could lead to unauthorized disclosure of sensitive information, which might include network configuration, operational parameters, or other data critical to network management and security. Although the severity is low and the impact limited to confidentiality, such information leakage could aid attackers in reconnaissance activities, facilitating more targeted attacks or lateral movement within networks. Given that the attack requires adjacent network access and low privileges, internal threat actors or attackers who have gained limited network access could exploit this vulnerability. This risk is particularly relevant for telecommunications providers, enterprises, or critical infrastructure operators relying on ZTE T5400 devices in their network infrastructure. The exposure of sensitive information could undermine trust, violate data protection regulations such as GDPR if personal data is involved, and potentially lead to compliance issues or reputational damage.

To mitigate this vulnerability, European organizations should first verify the access control configurations on their ZTE T5400 devices to ensure that sensitive interfaces are properly restricted and require appropriate authentication and authorization. Network segmentation should be enforced to limit access to these devices only to trusted administrators and systems, reducing the risk of adjacent network exploitation. Monitoring and logging access attempts to these interfaces should be enabled to detect any unauthorized access attempts promptly. Organizations should also engage with ZTE to obtain official patches or firmware updates addressing this vulnerability once available. Until patches are released, applying compensating controls such as disabling unnecessary interfaces, applying strict firewall rules, and conducting regular security audits of device configurations are recommended. Additionally, training network administrators on secure configuration practices and maintaining an inventory of affected devices will help in managing and mitigating the risk effectively.