Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
A buffer overflow vulnerability in the UPnP DeletePortMapping() command in Zyxel VMG4005-B50B firmware versions through 5.13(ABRL.5.4)C0 could allow an adjacent attacker to trigger a temporary denial-of-service (DoS) condition affecting the UPnP function of the affected device.
AnalysisAI
Buffer overflow in the UPnP DeletePortMapping() command of Zyxel VMG4005-B50B DSL/Ethernet CPE firmware (through 5.13(ABRL.5.4)C0) enables an unauthenticated adjacent-network attacker to crash the device's UPnP service. The impact is a temporary, recoverable denial-of-service confined to the UPnP function - availability is fully affected (A:H) while confidentiality and integrity remain unimpacted (C:N/I:N). No public exploit code or CISA KEV listing exists at time of analysis; the vulnerability was disclosed by Zyxel itself on 2026-06-02.
Technical ContextAI
CWE-120 (Buffer Copy without Checking Size of Input) describes the root cause: the UPnP service's handler for the DeletePortMapping() action fails to validate the length of attacker-controlled input before copying it into a fixed-size stack or heap buffer, resulting in a classic stack/heap overflow that corrupts process state and crashes the UPnP daemon. UPnP (Universal Plug and Play) is a network protocol suite common on CPE devices that enables automatic port-forwarding discovery; DeletePortMapping is a standard UPnP WANIPConnection action that removes an existing port mapping entry. The affected product - identified by CPE cpe:2.3:a:zyxel:vmg4005-b50b_firmware:*:*:*:*:*:*:*:* - is a Zyxel DSL/Ethernet customer premises equipment (CPE) device, consistent with the advisory's broader scope covering '4G/LTE, 5G NR CPE and DSL Ethernet CPE' product lines. The CVSS attack vector of AV:A (Adjacent) reflects that UPnP traffic operates over the local network segment and is not normally routable across the internet.
RemediationAI
The primary remediation is to apply the patch or firmware update identified in Zyxel's security advisory at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-buffer-overflow-vulnerabilities-in-the-upnp-function-of-certain-4g-lte-5g-nr-cpe-and-dsl-ethernet-cpe-06-02-2026; however, no specific patched firmware version number was included in the available input data, so the exact target version cannot be independently confirmed here - consult the advisory directly for the confirmed fix version before upgrading. As a compensating control where patching is not immediately possible, disabling the UPnP service entirely on the VMG4005-B50B removes the attack surface completely; the trade-off is that applications relying on automatic UPnP port-forwarding (gaming consoles, P2P clients, some VoIP adapters) will require manual port-forwarding configuration. Additionally, restricting LAN-side access to the device's UPnP port (typically UDP 1900 / SSDP and TCP 5000) via ACLs or firewall rules on upstream network equipment reduces exposure to trusted hosts only. Given the adjacent-network attack vector, ensuring that untrusted devices cannot reach the same broadcast domain as the CPE (e.g., proper VLAN segmentation for guest networks) provides a meaningful architectural mitigation.
A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. Rated h
Zyxel VMG4325-B10A legacy DSL CPE contains post-authentication command injection via Telnet management commands, compani
The diagnostic-ping implementation on ZyXEL PMG5318-B20A devices with firmware before 1.00(AANC.2)C0 allows remote attac
The buffer overflow vulnerability in the library “libclinkc.so” of the web server “zhttpd” in Zyxel DX5401-B0 firmware v
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware vers
A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Pat
ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access
A command injection vulnerability in the configuration parser of the Zyxel ATP series firmware versions 5.10 through 5.3
Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the ozkerz component because beginIndex and endIndex ar
**UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B
Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for
The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmwa
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33876
GHSA-c8pm-7pr3-cmh3