Zero Day MonitorZDM

← Back to list

EST

PRE-CVE

zyxel

Command Injection Vulnerabilities in Zyxel 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders

72% confidence

Description

Multiple command injection vulnerabilities have been identified in various Zyxel products including 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders. These vulnerabilities allow an attacker to execute arbitrary commands on the affected devices.

Affected Products

Vendor	Product	Versions
zyxel	—	multiple versions and models

Related News (1 articles)

Tier B

CCCS Canada3h ago

Zyxel security advisory (AV26-399)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

CWECWE-77

PublishedApr 28, 2026

Last enriched3h ago

Tags

command injectionnetwork devicescpeontwireless extender

Trending Score20

Source articles1

Independent1

Info Completeness6/14

Missing: cve_id, product, cvss, epss, kev, exploit, patch, iocs

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-1460EXP

CVE-2026-1460: A post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP configuration file in Zy

MEDIUMCVE-2026-0711EXP

CVE-2026-0711: A post-authentication command injection vulnerability in the EasyMesh-related APIs of Zyxel DX3300-T0 firmware versions

MEDIUMCVE-2026-6058EXP

CVE-2026-6058: ** UNSUPPORTED WHEN ASSIGNED ** An improper encoding or escaping vulnerability in the CGI program of Zyxel WRE6505 v2 fi

MEDIUMCVE-2025-11848

A null pointer dereference vulnerability in the Wake-on-LAN CGI program of the Zyxel VMG3625-T50B firmware version through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.

MEDIUMCVE-2025-11847

A null pointer dereference vulnerability in the IP settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL

Pin to Dashboard

Verification

State: reported

Confidence: 72%

Vulnerability Timeline

CVE Published

Apr 28, 2026

Discovered by ZDM

Apr 28, 2026