Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description explicitly states LAN-based (AV:A) and unauthenticated (PR:N), no user interaction, and OS command execution on the switch yields full C/I/A on the same management scope.
Primary rating from Vendor (Zyxel).
CVSS VectorVendor: Zyxel
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
A stack-based buffer overflow vulnerability in the CGI program of Zyxel GS1900-48HPv2 firmware versions through 2.90(ABTQ.1)C0 could allow a LAN-based, unauthenticated attacker to exploit the flaw and potentially execute OS commands via a crafted HTTP request.
AnalysisAI
Remote code execution in Zyxel GS1900 series managed switches (including GS1900-48HPv2, GS1900-8, GS1900-8HP, GS1900-10HP, GS1900-16, GS1900-24/24E/24EP/24HPv2, and GS1900-48) up to firmware 2.90(ABTQ.1)C0 allows a LAN-adjacent unauthenticated attacker to execute OS commands via a crafted HTTP request to the CGI handler. The flaw is a stack-based buffer overflow (CWE-121) carrying CVSS 8.8 and exposes the switch management plane to anyone on the same Layer-2 segment. No public exploit identified at time of analysis, but the vendor disclosed the issue concurrently with the advisory dated 2026-06-16.
Technical ContextAI
The GS1900 family are SMB-grade Gigabit smart-managed switches that expose configuration through an embedded web UI driven by CGI binaries running on the switch's management CPU. CWE-121 (stack-based buffer overflow) indicates a fixed-size stack buffer in one of these CGI handlers is written past its bounds when parsing untrusted HTTP request data - typically a query parameter, POST body field, or header copied with strcpy/sprintf/memcpy without length validation. Because management daemons on these embedded MIPS/ARM switches generally run as root with no ASLR/NX-style mitigations consistently enforced, stack corruption translates directly to OS command execution on the device. The CPE list spans nearly the entire current GS1900 lineup, indicating a shared CGI codebase across the firmware family.
RemediationAI
Apply the firmware update published in the Zyxel advisory dated 2026-06-16 (https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-stack-based-buffer-overflow-vulnerability-in-gs1900-series-switches-06-16-2026); the input does not enumerate the exact fixed-version string, so administrators should pull the patched build for each specific GS1900 model directly from the advisory's download links and verify the post-upgrade version is greater than 2.90(ABTQ.1)C0. Until patched, restrict the switch management interface to a dedicated management VLAN and use ACLs to permit HTTP/HTTPS only from administrator workstations - note this still leaves any compromised admin host as an attack path. If the web UI is not required, disable the HTTP/HTTPS management services and administer via SSH/console only; this removes the vulnerable CGI surface entirely but eliminates browser-based management. Block port 80/443 to the switch SVI from user VLANs at upstream routers as a defense-in-depth measure, accepting that this does nothing against an attacker already on the management segment.
More in Gs1900 48Hpv2 Firmware
View allA vulnerability in the TFTP client of Zyxel GS1900 series firmware, XGS1210 series firmware, and XGS1250 series firmware
A vulnerability in the 'libsal.so' of the Zyxel GS1900 series firmware version 2.60 could allow an authenticated local u
A post-authentication command injection vulnerability in the CGI program in the Zyxel GS1900-48 switch firmware version
An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authe
An insufficient entropy vulnerability caused by the improper use of randomness sources with low entropy for RSA key pair
The improper privilege management vulnerability in the Zyxel GS1900-24EP switch firmware version V2.70(ABTO.5) could all
A buffer overflow vulnerability in the CGI program in the Zyxel GS1900-48 switch firmware version V2.80(AAHN.1)C0 and ea
A vulnerability was found in the CGI program in Zyxel GS1900-8 firmware version V2.60, that did not properly sterilize p
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37030
GHSA-rrv4-8jq5-8j78