This vulnerability (CVE-2026-49001) in ZTE ZXUniPOS NDS-LTE involves a CSRF flaw that enables attackers to induce unintended operations by leveraging a user's authenticated session. Affected versions include V24.40.40 and earlier, and V24.30.40CP02 and earlier. The CVSS 3.1 base score is 5.3 with vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L, reflecting network attack vector, high attack complexity, high privileges required, user interaction needed, unchanged scope, low confidentiality impact, high integrity impact, and low availability impact. No vendor advisory or patch information is currently available, and no known exploits have been reported.

Successful exploitation could allow an attacker to perform unauthorized actions within the context of an authenticated user's session, potentially leading to tampering with configuration data. The impact includes limited confidentiality loss, high integrity compromise, and low availability impact. The vulnerability requires high privileges and user interaction, which limits the ease of exploitation.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should consider implementing CSRF protections such as anti-CSRF tokens and validating the origin of requests where possible. Monitoring for unusual configuration changes may also help detect exploitation attempts.