Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
UNSUPPORTED WHEN ASSIGNED A command injection vulnerability in the CGI program of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the LAN to execute operating system (OS) commands on a vulnerable device by sending a crafted HTTP request.
AnalysisAI
Command injection in Zyxel WRE6505 v2 firmware V1.00(ABDV.3)C0 allows unauthenticated adjacent network attackers to execute arbitrary operating system commands via crafted HTTP requests to the CGI interface. This vulnerability affects an end-of-life product with no vendor support, meaning no security patches will be released. Exploitation requires adjacent network access (same LAN segment) but no authentication, making it exploitable by any device on the local network including compromised IoT devices or malicious insiders.
Technical ContextAI
This is a classic command injection vulnerability (CWE-78) in the Common Gateway Interface (CGI) program of the WRE6505 v2 wireless range extender. CGI programs process web-based requests and often invoke shell commands to perform administrative functions. The vulnerability occurs when user-supplied input from HTTP requests is insufficiently validated before being passed to system command execution functions (such as system(), popen(), or exec() in C). According to the CPE string, this affects the WRE6505 v2 firmware platform specifically. The CVSS vector AV:A indicates adjacent network attack vector, meaning the attacker must be on the same network segment (Layer 2 broadcast domain) as the device, which is typical for LAN-side management interfaces on consumer networking equipment.
RemediationAI
No vendor-released patch will be made available as Zyxel has end-of-life'd the WRE6505 v2 product line per https://www.zyxel.com/global/en/support/end-of-life. Organizations must implement hardware replacement as the primary remediation strategy by migrating to currently supported Zyxel range extender models or alternative vendors with active security support. As interim compensating controls until replacement, isolate affected devices on dedicated VLAN segments with strict access control lists preventing access from untrusted LAN clients, disable the web management interface if CLI or alternative management methods are available (though this may impact usability), and implement network-based intrusion detection monitoring for HTTP POST requests to CGI endpoints with command injection patterns (semicolons, pipes, backticks in parameters). Note that disabling web management may render the device difficult to configure for non-technical users, and network segmentation only reduces exposure from compromised adjacent devices but does not eliminate risk from legitimate LAN users or physically proximate attackers. Hardware replacement remains the only complete mitigation for this permanently vulnerable EOL product.
A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. Rated h
Zyxel VMG4325-B10A legacy DSL CPE contains post-authentication command injection via Telnet management commands, compani
The diagnostic-ping implementation on ZyXEL PMG5318-B20A devices with firmware before 1.00(AANC.2)C0 allows remote attac
The buffer overflow vulnerability in the library “libclinkc.so” of the web server “zhttpd” in Zyxel DX5401-B0 firmware v
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware vers
A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Pat
ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access
A command injection vulnerability in the configuration parser of the Zyxel ATP series firmware versions 5.10 through 5.3
Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the ozkerz component because beginIndex and endIndex ar
**UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B
Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for
The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmwa
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29376
GHSA-c7j6-24cr-x2rf