Severity by source
AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (Zyxel) · only source for this CVE.
CVSS VectorVendor: Zyxel
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
A post-authentication command injection vulnerability in the EasyMesh-related APIs of Zyxel DX3300-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated, adjacent attacker with administrator privileges to execute OS commands on an affected device.
AnalysisAI
Command injection in EasyMesh APIs of Zyxel DX3300-T0 firmware through version 5.50(ABVY.7.1)C0 allows authenticated administrators with adjacent network access to execute arbitrary OS commands on the device. The vulnerability requires both administrator privileges and adjacent network positioning (AV:A), significantly limiting exposure to local network attackers rather than remote threat actors. CVSS 6.8 reflects high confidentiality, integrity, and availability impact but is constrained by elevated privilege and adjacency requirements.
Technical ContextAI
The vulnerability exists in the EasyMesh-related APIs, a mesh networking protocol component in Zyxel CPE (customer premises equipment) firmware. EasyMesh APIs handle inter-device communication in mesh topologies and may process command parameters without proper sanitization. CWE-78 (OS Command Injection) indicates the APIs fail to neutralize special characters or metacharacters in user-supplied input before passing it to OS command execution functions, likely in a web interface or local management API. The affected device is a 4G/LTE/5G NR CPE (cellular gateway), running embedded Linux-based firmware vulnerable in versions up to 5.50(ABVY.7.1)C0.
RemediationAI
Apply the vendor-released firmware patch from Zyxel security advisory (https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026) to upgrade DX3300-T0 firmware beyond version 5.50(ABVY.7.1)C0. Pending patch deployment, restrict administrative access to the device web interface and EasyMesh management APIs to trusted local network segments using network segmentation and access control lists. Disable EasyMesh functionality if not operationally required, as this is the attack surface. Monitor local network for anomalous API calls to EasyMesh endpoints. Rotate any shared or potentially compromised administrator credentials before patching, as the vulnerability requires authenticated admin access.
More in Dx3300 T0 Firmware
View allA post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware
A buffer overflow vulnerability in the packet parser of the third-party library "libclinkc" in Zyxel VMG8825-T50K firmwa
A buffer overflow vulnerability in the library "libclinkc" of the Zyxel VMG8825-T50K firmware version 5.50(ABOM.8)C0 cou
A null pointer dereference vulnerability in the certificate downloader CGI program of the Zyxel VMG3625-T50B firmware ve
A null pointer dereference vulnerability in the Wake-on-LAN CGI program of the Zyxel VMG3625-T50B firmware version throu
A null pointer dereference vulnerability in the IP settings CGI program of the Zyxel VMG3625-T50B firmware versions thro
A null pointer dereference vulnerability in the account settings CGI program of the Zyxel VMG3625-T50B firmware versions
A post-authentication buffer overflow vulnerability in the parameter "action" of the CGI program in Zyxel VMG3625-T50B f
An improper restriction of operations within the bounds of a memory buffer in the USB file-sharing handler of the Zyxel
An improper restriction of operations within the bounds of a memory buffer in the MAC address parser of the Zyxel VMG882
An improper restriction of operations within the bounds of a memory buffer in the IPv6 address parser of the Zyxel VMG88
An improper restriction of operations within the bounds of a memory buffer in the parameter type parser of the Zyxel VMG
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25968