Skip to main content

Zyxel DX3301-T0 / EX3301-T0 CVE-2026-1460

| EUVDEUVD-2026-25970 HIGH
OS Command Injection (CWE-78)
2026-04-28 Zyxel
7.2
CVSS 3.1 · Vendor: Zyxel
Share

Severity by source

Vendor (Zyxel) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (Zyxel) · only source for this CVE.

CVSS VectorVendor: Zyxel

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 28, 2026 - 03:32 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 28, 2026 - 03:22 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 03:15 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 03:00 euvd
EUVD-2026-25970
Analysis Generated
Apr 28, 2026 - 03:00 vuln.today
CVE Published
Apr 28, 2026 - 02:06 nvd
HIGH 7.2

DescriptionCVE.org

A post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device.

AnalysisAI

Command injection in Zyxel DX3301-T0 and EX3301-T0 routers allows authenticated administrators to execute arbitrary OS commands by injecting malicious input into the DomainName parameter of DHCP configuration. Affects firmware versions through 5.50(ABVY.7.1)C0. Vendor Zyxel has published a security advisory with remediation guidance. EPSS data not available; no public exploit identified at time of analysis. While CVSS score is 7.2 (High), practical risk is constrained by requirement for admin-level authentication, limiting exposure to credential compromise or malicious insider scenarios.

Technical ContextAI

This is a CWE-78 OS command injection vulnerability in the DHCP server configuration interface of Zyxel CPE devices. The DomainName parameter in DHCP settings lacks proper input sanitization, allowing shell metacharacters to break out of intended command contexts and execute arbitrary operating system commands. The affected products DX3301-T0 and EX3301-T0 are customer premises equipment (CPE) devices - likely DSL, fiber ONT, or 4G LTE/5G NR routers based on the advisory context referencing multiple CPE categories. The vulnerability exists in the web administration interface's DHCP configuration module, where user-supplied domain name values are passed unsanitized to underlying system calls or scripts. This class of vulnerability is particularly critical in network edge devices as OS-level access enables persistent compromise, traffic interception, and pivot points into internal networks.

RemediationAI

Apply vendor-released firmware update per Zyxel security advisory published April 28, 2026, available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026. The advisory should specify patched firmware versions superseding 5.50(ABVY.7.1)C0 for DX3301-T0 and EX3301-T0 models. Until patching is complete, implement compensating controls: restrict administrative interface access to trusted management networks only via firewall rules (disable WAN-side admin access entirely if not operationally required), enforce strong unique admin passwords with multi-factor authentication if supported, monitor authentication logs for unauthorized admin login attempts, and review DHCP configuration for unexpected domain name entries. Note that disabling DHCP server functionality eliminates the attack surface but breaks dynamic IP assignment for connected clients, requiring static IP configuration. Review all admin accounts and remove unnecessary credentials to minimize insider threat exposure.

CVE-2025-13943 HIGH
8.8 Feb 24

A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware

CVE-2024-8748 HIGH
7.5 Dec 03

A buffer overflow vulnerability in the packet parser of the third-party library "libclinkc" in Zyxel VMG8825-T50K firmwa

CVE-2024-5412 HIGH
7.5 Sep 03

A buffer overflow vulnerability in the library "libclinkc" of the Zyxel VMG8825-T50K firmware version 5.50(ABOM.8)C0 cou

CVE-2024-0816 MEDIUM
5.5 May 21

The buffer overflow vulnerability in the DX3300-T1 firmware version V5.50(ABVY.4)C0 could allow an authenticated local a

CVE-2025-11845 MEDIUM
4.9 Feb 24

A null pointer dereference vulnerability in the certificate downloader CGI program of the Zyxel VMG3625-T50B firmware ve

CVE-2025-11848 MEDIUM
4.9 Feb 24

A null pointer dereference vulnerability in the Wake-on-LAN CGI program of the Zyxel VMG3625-T50B firmware version throu

CVE-2025-11847 MEDIUM
4.9 Feb 24

A null pointer dereference vulnerability in the IP settings CGI program of the Zyxel VMG3625-T50B firmware versions thro

CVE-2025-11846 MEDIUM
4.9 Feb 24

A null pointer dereference vulnerability in the account settings CGI program of the Zyxel VMG3625-T50B firmware versions

CVE-2024-9197 MEDIUM
4.9 Dec 03

A post-authentication buffer overflow vulnerability in the parameter "action" of the CGI program in Zyxel VMG3625-T50B f

CVE-2024-38269 MEDIUM
4.9 Sep 24

An improper restriction of operations within the bounds of a memory buffer in the USB file-sharing handler of the Zyxel

CVE-2024-38268 MEDIUM
4.9 Sep 24

An improper restriction of operations within the bounds of a memory buffer in the MAC address parser of the Zyxel VMG882

CVE-2024-38267 MEDIUM
4.9 Sep 24

An improper restriction of operations within the bounds of a memory buffer in the IPv6 address parser of the Zyxel VMG88

Share

CVE-2026-1460 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy