Skip to main content

Zyxel NWA1100-N CVE-2026-7287

| EUVDEUVD-2026-29378 HIGH
Classic Buffer Overflow (CWE-120)
2026-05-12 Zyxel GHSA-j38v-jpjg-hvr2
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 04:31 vuln.today
CVE Published
May 12, 2026 - 03:56 nvd
HIGH 7.5

DescriptionCVE.org

UNSUPPORTED WHEN ASSIGNED A buffer overflow vulnerability in the formWep(), formWlAc(), formPasswordSetup(), formUpgradeCert(), and formDelcert() functions of the “webs” binary in Zyxel NWA1100-N customized firmware version 1.00(AACE.1)C0 could allow an attacker to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request to a vulnerable device.

AnalysisAI

Remote unauthenticated attackers can crash Zyxel NWA1100-N access points running customized firmware version 1.00(AACE.1)C0 by sending malformed HTTP requests that trigger buffer overflows in five distinct web server functions (formWep, formWlAc, formPasswordSetup, formUpgradeCert, formDelcert). The vulnerability enables denial-of-service attacks with high CVSS 7.5 severity but is limited to an end-of-life product according to Zyxel's reference documentation. No public exploit code identified at time of analysis, and EPSS data is unavailable for this recent CVE.

Technical ContextAI

The vulnerability resides in the 'webs' binary, Zyxel's custom web server component that handles administrative HTTP requests on the NWA1100-N wireless access point. CWE-120 (Buffer Copy without Checking Size of Input) indicates classic memory safety failures where user-supplied HTTP parameters are copied into fixed-size stack or heap buffers without proper bounds checking. All five affected functions (formWep for WEP configuration, formWlAc for wireless access control, formPasswordSetup for credential management, formUpgradeCert and formDelcert for certificate operations) share this unsafe input handling pattern. The CPE identifier cpe:2.3:a:zyxel:nwa1100-n_firmware:*:*:*:*:*:*:*:* confirms this affects the firmware application layer rather than underlying Linux components. Buffer overflows in embedded device web servers are particularly concerning because these systems often lack modern exploit mitigations like ASLR or stack canaries, though in this case the impact is limited to availability disruption.

RemediationAI

No vendor-released patch identified at time of analysis - the affected Zyxel NWA1100-N product is end-of-life per https://www.zyxel.com/global/en/support/end-of-life, meaning Zyxel will not provide security updates. Organizations still deploying this hardware should replace it with currently supported access point models from Zyxel's active product line. As interim mitigation, restrict administrative HTTP/HTTPS access to the NWA1100-N web interface using network segmentation and firewall rules, allowing connections only from trusted management VLANs or specific administrator IP addresses. Disable remote management features if not operationally required and access the device only via out-of-band management networks. These compensating controls reduce attack surface but do not eliminate risk - note that blocking external access may conflict with legitimate remote administration requirements and requires careful network architecture planning. Monitor devices for unexpected reboots that could indicate exploitation attempts.

More in Zyxel

View all
CVE-2017-6884 HIGH POC
8.8 Apr 06

A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. Rated h

CVE-2024-40891 HIGH
8.8 Feb 04

Zyxel VMG4325-B10A legacy DSL CPE contains post-authentication command injection via Telnet management commands, compani

CVE-2015-6018 CRITICAL POC
9.8 Dec 31

The diagnostic-ping implementation on ZyXEL PMG5318-B20A devices with firmware before 1.00(AANC.2)C0 allows remote attac

CVE-2023-28769 CRITICAL POC
9.8 Apr 27

The buffer overflow vulnerability in the library “libclinkc.so” of the web server “zhttpd” in Zyxel DX5401-B0 firmware v

CVE-2023-28771 CRITICAL POC
9.8 Apr 25

Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware vers

CVE-2022-30525 CRITICAL POC
9.8 May 12

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Pat

CVE-2016-10401 HIGH POC
8.8 Jul 25

ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access

CVE-2023-33012 HIGH POC
8.8 Jul 17

A command injection vulnerability in the configuration parser of the Zyxel ATP series firmware versions 5.10 through 5.3

CVE-2017-15226 CRITICAL POC
9.8 Oct 10

Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the ozkerz component because beginIndex and endIndex ar

CVE-2025-0890 CRITICAL
9.8 Feb 04

**UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B

CVE-2017-7964 CRITICAL POC
10.0 Apr 19

Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for

CVE-2023-28770 HIGH POC
7.5 Apr 27

The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmwa

Share

CVE-2026-7287 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy