Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (Zyxel) · only source for this CVE.
CVSS VectorVendor: Zyxel
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
A post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device.
AnalysisAI
Command injection in Zyxel DX3301-T0 and EX3301-T0 routers allows authenticated administrators to execute arbitrary OS commands by injecting malicious input into the DomainName parameter of DHCP configuration. Affects firmware versions through 5.50(ABVY.7.1)C0. Vendor Zyxel has published a security advisory with remediation guidance. EPSS data not available; no public exploit identified at time of analysis. While CVSS score is 7.2 (High), practical risk is constrained by requirement for admin-level authentication, limiting exposure to credential compromise or malicious insider scenarios.
Technical ContextAI
This is a CWE-78 OS command injection vulnerability in the DHCP server configuration interface of Zyxel CPE devices. The DomainName parameter in DHCP settings lacks proper input sanitization, allowing shell metacharacters to break out of intended command contexts and execute arbitrary operating system commands. The affected products DX3301-T0 and EX3301-T0 are customer premises equipment (CPE) devices - likely DSL, fiber ONT, or 4G LTE/5G NR routers based on the advisory context referencing multiple CPE categories. The vulnerability exists in the web administration interface's DHCP configuration module, where user-supplied domain name values are passed unsanitized to underlying system calls or scripts. This class of vulnerability is particularly critical in network edge devices as OS-level access enables persistent compromise, traffic interception, and pivot points into internal networks.
RemediationAI
Apply vendor-released firmware update per Zyxel security advisory published April 28, 2026, available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026. The advisory should specify patched firmware versions superseding 5.50(ABVY.7.1)C0 for DX3301-T0 and EX3301-T0 models. Until patching is complete, implement compensating controls: restrict administrative interface access to trusted management networks only via firewall rules (disable WAN-side admin access entirely if not operationally required), enforce strong unique admin passwords with multi-factor authentication if supported, monitor authentication logs for unauthorized admin login attempts, and review DHCP configuration for unexpected domain name entries. Note that disabling DHCP server functionality eliminates the attack surface but breaks dynamic IP assignment for connected clients, requiring static IP configuration. Review all admin accounts and remove unnecessary credentials to minimize insider threat exposure.
More in Dx3301 T0 Firmware
View allA post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware
A buffer overflow vulnerability in the packet parser of the third-party library "libclinkc" in Zyxel VMG8825-T50K firmwa
A buffer overflow vulnerability in the library "libclinkc" of the Zyxel VMG8825-T50K firmware version 5.50(ABOM.8)C0 cou
The buffer overflow vulnerability in the DX3300-T1 firmware version V5.50(ABVY.4)C0 could allow an authenticated local a
A null pointer dereference vulnerability in the certificate downloader CGI program of the Zyxel VMG3625-T50B firmware ve
A null pointer dereference vulnerability in the Wake-on-LAN CGI program of the Zyxel VMG3625-T50B firmware version throu
A null pointer dereference vulnerability in the IP settings CGI program of the Zyxel VMG3625-T50B firmware versions thro
A null pointer dereference vulnerability in the account settings CGI program of the Zyxel VMG3625-T50B firmware versions
A post-authentication buffer overflow vulnerability in the parameter "action" of the CGI program in Zyxel VMG3625-T50B f
An improper restriction of operations within the bounds of a memory buffer in the USB file-sharing handler of the Zyxel
An improper restriction of operations within the bounds of a memory buffer in the MAC address parser of the Zyxel VMG882
An improper restriction of operations within the bounds of a memory buffer in the IPv6 address parser of the Zyxel VMG88
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25970