Skip to main content

Zyxel WRE6505 v2 EUVDEUVD-2026-29376

| CVE-2026-7256 HIGH
OS Command Injection (CWE-78)
2026-05-12 Zyxel GHSA-c7j6-24cr-x2rf
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 04:30 vuln.today
CVE Published
May 12, 2026 - 03:25 nvd
HIGH 8.8

DescriptionCVE.org

UNSUPPORTED WHEN ASSIGNED A command injection vulnerability in the CGI program of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the LAN to execute operating system (OS) commands on a vulnerable device by sending a crafted HTTP request.

AnalysisAI

Command injection in Zyxel WRE6505 v2 firmware V1.00(ABDV.3)C0 allows unauthenticated adjacent network attackers to execute arbitrary operating system commands via crafted HTTP requests to the CGI interface. This vulnerability affects an end-of-life product with no vendor support, meaning no security patches will be released. Exploitation requires adjacent network access (same LAN segment) but no authentication, making it exploitable by any device on the local network including compromised IoT devices or malicious insiders.

Technical ContextAI

This is a classic command injection vulnerability (CWE-78) in the Common Gateway Interface (CGI) program of the WRE6505 v2 wireless range extender. CGI programs process web-based requests and often invoke shell commands to perform administrative functions. The vulnerability occurs when user-supplied input from HTTP requests is insufficiently validated before being passed to system command execution functions (such as system(), popen(), or exec() in C). According to the CPE string, this affects the WRE6505 v2 firmware platform specifically. The CVSS vector AV:A indicates adjacent network attack vector, meaning the attacker must be on the same network segment (Layer 2 broadcast domain) as the device, which is typical for LAN-side management interfaces on consumer networking equipment.

RemediationAI

No vendor-released patch will be made available as Zyxel has end-of-life'd the WRE6505 v2 product line per https://www.zyxel.com/global/en/support/end-of-life. Organizations must implement hardware replacement as the primary remediation strategy by migrating to currently supported Zyxel range extender models or alternative vendors with active security support. As interim compensating controls until replacement, isolate affected devices on dedicated VLAN segments with strict access control lists preventing access from untrusted LAN clients, disable the web management interface if CLI or alternative management methods are available (though this may impact usability), and implement network-based intrusion detection monitoring for HTTP POST requests to CGI endpoints with command injection patterns (semicolons, pipes, backticks in parameters). Note that disabling web management may render the device difficult to configure for non-technical users, and network segmentation only reduces exposure from compromised adjacent devices but does not eliminate risk from legitimate LAN users or physically proximate attackers. Hardware replacement remains the only complete mitigation for this permanently vulnerable EOL product.

More in Zyxel

View all
CVE-2017-6884 HIGH POC
8.8 Apr 06

A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. Rated h

CVE-2024-40891 HIGH
8.8 Feb 04

Zyxel VMG4325-B10A legacy DSL CPE contains post-authentication command injection via Telnet management commands, compani

CVE-2015-6018 CRITICAL POC
9.8 Dec 31

The diagnostic-ping implementation on ZyXEL PMG5318-B20A devices with firmware before 1.00(AANC.2)C0 allows remote attac

CVE-2023-28769 CRITICAL POC
9.8 Apr 27

The buffer overflow vulnerability in the library “libclinkc.so” of the web server “zhttpd” in Zyxel DX5401-B0 firmware v

CVE-2023-28771 CRITICAL POC
9.8 Apr 25

Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware vers

CVE-2022-30525 CRITICAL POC
9.8 May 12

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Pat

CVE-2016-10401 HIGH POC
8.8 Jul 25

ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access

CVE-2023-33012 HIGH POC
8.8 Jul 17

A command injection vulnerability in the configuration parser of the Zyxel ATP series firmware versions 5.10 through 5.3

CVE-2017-15226 CRITICAL POC
9.8 Oct 10

Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the ozkerz component because beginIndex and endIndex ar

CVE-2025-0890 CRITICAL
9.8 Feb 04

**UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B

CVE-2017-7964 CRITICAL POC
10.0 Apr 19

Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for

CVE-2023-28770 HIGH POC
7.5 Apr 27

The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmwa

Share

EUVD-2026-29376 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy