Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
A buffer overflow vulnerability in the UPnP AddPortMapping() command in Zyxel VMG4005-B50B firmware versions through 5.13(ABRL.5.4)C0 could allow an adjacent attacker to trigger a temporary denial-of-service (DoS) condition affecting the UPnP function of the affected device.
AnalysisAI
Buffer overflow in the UPnP AddPortMapping() command handler on Zyxel VMG4005-B50B DSL/Ethernet CPE devices allows adjacent unauthenticated attackers to crash the UPnP service, causing a temporary denial-of-service condition. Affected firmware versions run through 5.13(ABRL.5.4)C0, and the vulnerability was self-disclosed by Zyxel in a June 2026 advisory covering multiple CPE product lines. No public exploit code exists and this vulnerability has not been confirmed as actively exploited (not in CISA KEV).
Technical ContextAI
CWE-120 (Classic Buffer Overflow) describes the root cause: the UPnP AddPortMapping() handler fails to properly validate the length or bounds of attacker-supplied input before writing it into a fixed-size buffer, corrupting adjacent memory and crashing the UPnP service process. UPnP uses SOAP over HTTP (typically on port 1900/UDP for discovery and a TCP port for control), allowing LAN-side clients to dynamically request port-forwarding rules from the router. The affected CPE string (cpe:2.3:a:zyxel:vmg4005-b50b_firmware) identifies the VMG4005-B50B as a DSL/Ethernet CPE device - a class of customer-premises equipment commonly deployed by ISPs. Because UPnP is frequently enabled by default on consumer and SOHO routers, the attack surface is present in typical deployments. The CVSS attack vector of Adjacent (AV:A) confines exploitation to the same broadcast domain or directly connected network segment rather than the open internet.
RemediationAI
Consult the Zyxel security advisory at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-buffer-overflow-vulnerabilities-in-the-upnp-function-of-certain-4g-lte-5g-nr-cpe-and-dsl-ethernet-cpe-06-02-2026 for patched firmware versions - a specific fix version was not included in the available input data, so 'Patch available per vendor advisory' is the confirmed status. Apply any Zyxel-released firmware update above version 5.13(ABRL.5.4)C0 once validated. As a compensating control, disable UPnP on the VMG4005-B50B via the device administration interface if UPnP is not required by connected clients; this eliminates the attack surface entirely but may break applications that rely on automatic port mapping (e.g., gaming consoles, VoIP clients, BitTorrent). Restrict LAN-side access to the UPnP control port if the device supports per-interface UPnP scoping. For ISP-managed deployments, consider pushing a configuration policy that disables UPnP fleet-wide pending firmware availability.
A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. Rated h
Zyxel VMG4325-B10A legacy DSL CPE contains post-authentication command injection via Telnet management commands, compani
The diagnostic-ping implementation on ZyXEL PMG5318-B20A devices with firmware before 1.00(AANC.2)C0 allows remote attac
The buffer overflow vulnerability in the library “libclinkc.so” of the web server “zhttpd” in Zyxel DX5401-B0 firmware v
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware vers
A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Pat
ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access
A command injection vulnerability in the configuration parser of the Zyxel ATP series firmware versions 5.10 through 5.3
Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the ozkerz component because beginIndex and endIndex ar
**UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B
Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for
The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmwa
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33873
GHSA-r75m-m2v9-89vv