—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Zyxel

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Systems Affected

Zyxel devices 4G/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, security routers, wireless extenders running older firmware releases such as:

LTE3301-PLUS 1.00(ABQU.8)C0 and earlier

Nebula FWA505 1.19(ACKO.0)C0 and earlier

Nebula FWA510 1.20(ACGD.1)C0 and earlier

Nebula FWA515 1.50(ACPZ.0)C0 and earlier

Nebula FWA710 1.20(ACGC.0)C0 and earlier

Nebula LTE330s1-PLUS 1.18(ACCA.6)C0 and earlier

DX3300-T0 5.50(ABVY.7)C0 and earlier

DX3300-T1 5.50(ABVY.7)C0 and earlier

DX3301-T0 5.50(ABVY.7)C0 and earlier

DX4510-B0 5.17(ABYL.10)C0 and earlier

DX4510-B1 5.17(ABYL.10)C0 and earlier

DX5401-B1 5.17(ABYO.7)C0 and earlier

EE3301-00 5.63(ACMU.2)C0 and earlier

EE5301-00 5.63(ACLD.2)C0 and earlier

EE6510-10 5.19(ACJQ.4)C0 and earlier

EMG3525-T50B 5.50(ABPM.9.6)C0 and earlier

EMG5523-T50B 5.50(ABPM.9.6)C0 and earlier

EX2210-T0 5.50(ACDI.2.2)C0 and earlier

EX3300-T0 5.50(ABVY.7)C0 and earlier

EX3300-T1 5.50(ABVY.7)C0 and earlier

EX3301-T0 5.50(ABVY.7)C0 and earlier

EX3500-T0 5.44(ACHR.5)C0 and earlier

EX3501-T0 5.44(ACHR.5)C0 and earlier

EX3510-B0 5.17(ABUP.15.1)C0 and earlier

EX3510-B1 5.17(ABUP.15.1)C0 and earlier

EX3600-T0 5.70(ACIF.2)C0 and earlier

EX5401-B1 5.17(ABYO.7)C0 and earlier

EX5510-B0 5.17(ABQX.11)C0 and earlier

EX5512-T0 5.70(ACEG.5.2)C0 and earlier

EX5601-T0 5.70(ACDZ.5)C0 and earlier

EX5601-T1 5.70(ACDZ.5)C0 and earlier

EX7501-B0 5.18(ACHN.3)C0 and earlier

EX7710-B0 5.18(ACAK.1.5)C0 and earlier

GM4100-B0 5.18(ACCL.1.1)C0 and earlier

VMG3625-T50B 5.50(ABPM.9.6)C0 and earlier

VMG4005-B50A 5.17(ABQA.3.1)C0 and earlier

VMG4005-B60A 5.17(ABQA.3.1)C0 and earlier

VMG8623-T50B 5.50(ABPM.9.6)C0 and earlier

AX7501-B1 5.17(ABPC.7)C0 and earlier

PE3301-00 5.63(ACMT.2)C0 and earlier

PE5301-01 5.63(ACOJ.2)C0 and earlier

PM3100-T0 5.42(ACBF.4)C0 and earlier

PM5100-T0 5.42(ACBF.4)C0 and earlier

PM5100-T1 5.42(ACBF.4)C0 and earlier

PM7300-T0 5.42(ABYY.4)C0 and earlier

PM7500-00 5.61(ACKK.1.1)C0 and earlier

PX3321-T1 5.44(ACJB.1.4)C0, 5.44(ACHK.2)C0, 5.44(ACHK.3)C0 and earlier

PX5301-T0 5.44(ACKB.0.5)C0 and earlier

SCR 50AXE 1.20(ACGN.0)C0 and earlier

WE3300-00 5.70(ACKA.1)C0 and earlier

WX3100-T0 5.50(ABVL.4.8)C0 and earlier

WX3401-B1 5.17(ABVE.2.9)C0 and earlier

WX5600-T0 5.70(ACEB.5)C0 and earlier

WX5610-B0 5.18(ACGJ.0.4)C0 and earlier

Overview

Multiple Vulnerabilities have been reported in Certain Zyxel 4G/5G CPEs, DSL/Ethernet CPEs, Fiber ONTs, routers, and wireless extenders which could allow  an attacker to crash device or execute arbitrary operating system commands..

Target Audience:

IT and Network Administrators,Security Teams / SOC Analysts,CISO / Management,Customers / End Users of Zyxel Devices.

Risk Assessment:

High risks of service interruption and unauthorized access.

Impact Assessment:

Potential impact on confidentiality, integrity and availability of the system.

Description

1. Null Pointer Dereference Vulnerabilities ( CVE-2025-11847    CVE-2025-11848   CVE-2025-11845   CVE-2025-11846   )

Multiple vulnerabilities exist in the firmware of certain Zyxel 4G LTE/5G NR CPEs, DSL/Ethernet CPEs, Fiber ONTs, security routers, and wireless extenders, affecting CGI programs due to certificate downloader, account settings, IP settings, and Wake-on-LAN CGI programs.

An authenticated attacker with administrator privileges could exploit these vulnerabilities by sending specially crafted HTTP requests, potentially triggering a denial-of-service (DoS) condition.

Successful exploitation of these vulnerabilities could allow an attacker to system crash and disrupt packet forwarding.

2. Command Injection Vulnerabilities ( CVE-2025-13942   CVE-2025-13943   CVE-2026-1459   )

Multiple vulnerabilities exist in Certain 4G/5G CPEs, DSL/Ethernet CPEs, Fiber ONTs, and Wireless Extenders contain vulnerabilities in the UPnP function, log file download, and TR 369 certificate download CGI programs.  A remote attacker could exploit these by sending specially crafted UPnP SOAP requests to execute arbitrary OS commands on the affected device.

Solution

Apply appropriate updates as mentioned in:

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026

Vendor Information

Zyxel

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026

References

 

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026

CVE Name

CVE-2025-11845

CVE-2025-11846

CVE-2025-11847

CVE-2025-11848

CVE-2025-13942

CVE-2025-13943

CVE-2026-1459

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmmhsxkACgkQ3jCgcSdc

ys/j7w//eIS9jmZIYCdm0NhfUWA2U/RDVCBch6sXBN4aoR2SboRFQLZxJkcqZnsu

8jAbPgPes7HxruiNR3/YwCD/tiSvwF0K0lCdhNGRcCcVFF80hfsMN7eDY4kBkFUj

R/1JiPibr8fO9trwWVdgm22knGtp7OJkYnWjkbUZ8/yorb8RXt5gOVsWJySq3m6n

cB7MOfrNi/QqoWcUqOP2h8NU9Am7NBLFrJaD81s9tLFf4R29AOqrwVereuedLEit

NEMY199vwxa+DIIz3A8PgGiH1XydvOHXRCixOCtschMX1kAgKran/rVej05DM7gK

jFfYW/uBUF+3qOel6h2HaB3nt9WzSzoeGHfXH3k2u6poy1ZcEsGJF+ZH9gkt0XX/

i83XzzgtLdkCCjcOtPyhezF4VTy5BtXEcI2euPCE2AGfOvIIq1mHnrU3UtWze8LB

wfn7yRJEqahNJOgQhqbDa93dFqrFT18m67nfSN6rW0K/WJJtzB0tIQfm6PhAVrX+

fkwCwAQ0KSt1tZMZyB0vr3IKMFF8S+xBoGOfriEgmJi69tlUnRPRrKp4APQi22fY

1BeKlkRLzD8R98tARXs2KO1vBLQq6zVNk7Ko8zKONGQNXDLMcv1oKAe7agj5QylW

H7IJDWWW+Kk8zOeGKfYqk7rUdLJozuHcXht4pO5S2brlM0OgNHw=

=mDUa

—–END PGP SIGNATURE—–