Permission and Access Control Vulnerability in Some ZTE Mobile Phones

Initial Release Date:  July 27, 2023


Vulnerability ID

CVE ID: CVE-2023-25647       CNNVD ID: CNNVD-2023-12863579


CVSS 3.1 Base Score 

4.7 MediumAV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N



There is a permission and access control vulnerability in ZTE Axon 40 Pro. Due to improper access control, applications in mobile phone could monitor the touch event.


Affected Products and Fixes

Product Name

Affected Version

Resolved Version

Axon 40 Pro

All versions up to NON_EEA_P870F21V1.0.0B07


Nubia Z50

All versions up to GEN_ZTE_PQ82A01V1.0.0B18MR


Axon 30

All versions up to GEN_ZTE_P870A01V3.0.0B05


Axon 40 Ultra

All versions up to GEN_ZTE_P898A01V2.0.0B16




ZTE thanks Yousra Aafer (University of Waterloo) for paying attention to our products and cooperating with us to disclose vulnerability.


Update Records

July 27, 2023, initial.


Version Update Method

A device that supports automatic update can receive a pop-up update message. You can upgrade the device accordingly. If no update message is received, contact your service provider to obtain the update information.


ZTE Mobile Phone Support Center