Skip to main content

Zyxel GS1900 Switches EUVDEUVD-2026-37030

| CVE-2026-7273 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-06-16 Zyxel GHSA-rrv4-8jq5-8j78
8.8
CVSS 3.1 · Vendor: Zyxel
Share

Severity by source

Vendor (Zyxel) PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Description explicitly states LAN-based (AV:A) and unauthenticated (PR:N), no user interaction, and OS command execution on the switch yields full C/I/A on the same management scope.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Zyxel).

CVSS VectorVendor: Zyxel

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 03:13 vuln.today

DescriptionCVE.org

A stack-based buffer overflow vulnerability in the CGI program of Zyxel GS1900-48HPv2 firmware versions through 2.90(ABTQ.1)C0 could allow a LAN-based, unauthenticated attacker to exploit the flaw and potentially execute OS commands via a crafted HTTP request.

AnalysisAI

Remote code execution in Zyxel GS1900 series managed switches (including GS1900-48HPv2, GS1900-8, GS1900-8HP, GS1900-10HP, GS1900-16, GS1900-24/24E/24EP/24HPv2, and GS1900-48) up to firmware 2.90(ABTQ.1)C0 allows a LAN-adjacent unauthenticated attacker to execute OS commands via a crafted HTTP request to the CGI handler. The flaw is a stack-based buffer overflow (CWE-121) carrying CVSS 8.8 and exposes the switch management plane to anyone on the same Layer-2 segment. No public exploit identified at time of analysis, but the vendor disclosed the issue concurrently with the advisory dated 2026-06-16.

Technical ContextAI

The GS1900 family are SMB-grade Gigabit smart-managed switches that expose configuration through an embedded web UI driven by CGI binaries running on the switch's management CPU. CWE-121 (stack-based buffer overflow) indicates a fixed-size stack buffer in one of these CGI handlers is written past its bounds when parsing untrusted HTTP request data - typically a query parameter, POST body field, or header copied with strcpy/sprintf/memcpy without length validation. Because management daemons on these embedded MIPS/ARM switches generally run as root with no ASLR/NX-style mitigations consistently enforced, stack corruption translates directly to OS command execution on the device. The CPE list spans nearly the entire current GS1900 lineup, indicating a shared CGI codebase across the firmware family.

RemediationAI

Apply the firmware update published in the Zyxel advisory dated 2026-06-16 (https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-stack-based-buffer-overflow-vulnerability-in-gs1900-series-switches-06-16-2026); the input does not enumerate the exact fixed-version string, so administrators should pull the patched build for each specific GS1900 model directly from the advisory's download links and verify the post-upgrade version is greater than 2.90(ABTQ.1)C0. Until patched, restrict the switch management interface to a dedicated management VLAN and use ACLs to permit HTTP/HTTPS only from administrator workstations - note this still leaves any compromised admin host as an attack path. If the web UI is not required, disable the HTTP/HTTPS management services and administer via SSH/console only; this removes the vulnerable CGI surface entirely but eliminates browser-based management. Block port 80/443 to the switch SVI from user VLANs at upstream routers as a defense-in-depth measure, accepting that this does nothing against an attacker already on the management segment.

Share

EUVD-2026-37030 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy