211
CVEs
46
Critical
89
High
11
KEV
68
PoC
115
Unpatched C/H
15.6%
Patch Rate
7.8%
Avg EPSS
Severity Breakdown
CRITICAL
46
HIGH
89
MEDIUM
76
LOW
0
Monthly CVE Trend
Affected Products (30)
Usg Flex 700 Firmware
27
Usg Flex 200 Firmware
27
Usg Flex 100W Firmware
27
Usg Flex 500 Firmware
27
Usg Flex 100 Firmware
25
Nas326 Firmware
23
Vpn100 Firmware
21
Vpn50 Firmware
21
Vpn300 Firmware
21
Vpn1000 Firmware
20
Usg Flex 50W Firmware
20
Usg 20W Vpn Firmware
19
Zld
19
Atp200 Firmware
18
Atp800 Firmware
18
Atp500 Firmware
18
Usg Flex 50 Firmware
18
Atp100 Firmware
17
Nas542 Firmware
17
Vmg8623 T50b Firmware
17
Emg5523 T50b Firmware
17
Vmg3625 T50b Firmware
17
Emg3525 T50b Firmware
17
Gs1900 24 Firmware
16
Gs1900 8 Firmware
16
Atp100W Firmware
16
Ex3510 B0 Firmware
16
Atp700 Firmware
16
Gs1900 16 Firmware
15
Ex3301 T0 Firmware
15
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2017-6884 | A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. | HIGH | 8.8 | 92.0% | 206 |
KEV
PoC
No patch
|
| CVE-2024-40891 | Zyxel VMG4325-B10A legacy DSL CPE contains post-authentication command injection via Telnet management commands, companion vulnerability to CVE-2024-40890 affecting the same unsupported device. | HIGH | 8.8 | 55.4% | 149 |
KEV
No patch
|
| CVE-2015-6018 | The diagnostic-ping implementation on ZyXEL PMG5318-B20A devices with firmware before 1.00(AANC.2)C0 allows remote attackers to execute arbitrary commands via the PingIPAddr parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 22.1%. | CRITICAL | 9.8 | 22.1% | 91 |
PoC
No patch
|
| CVE-2022-30525 | A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.8 | 99.9% | 84 |
KEV
PoC
No patch
|
| CVE-2023-28771 | Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.8 | 99.3% | 84 |
KEV
PoC
No patch
|
| CVE-2023-28769 | The buffer overflow vulnerability in the library “libclinkc.so” of the web server “zhttpd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.8 | 5.4% | 84 |
PoC
No patch
|
| CVE-2016-10401 | ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 16.9%. | HIGH | 8.8 | 16.9% | 81 |
PoC
No patch
|
| CVE-2023-33012 | A command injection vulnerability in the configuration parser of the Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2, USG FLEX series firmware versions 5.00 through 5.36 Patch 2, USG. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available. | HIGH | 8.8 | 10.1% | 79 |
PoC
No patch
|
| CVE-2017-15226 | Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the ozkerz component because beginIndex and endIndex are used directly in a popen call. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.8 | 7.5% | 77 |
PoC
No patch
|
| CVE-2025-0890 | **UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an attacker to log in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 23.8% and no vendor patch available. | CRITICAL | 9.8 | 23.8% | 73 |
No patch
|
| CVE-2017-7964 | Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for remote attackers to conduct DNS hijacking attacks by reconfiguring the built-in. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 10.0 | 2.7% | 73 |
PoC
No patch
|
| CVE-2023-28770 | The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | HIGH | 7.5 | 57.8% | 72 |
PoC
No patch
|
| CVE-2019-15800 | An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.8 | 3.9% | 69 |
PoC
No patch
|
| CVE-2020-9054 | Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.8 | 100.0% | 69 |
KEV
PoC
No patch
|
| CVE-2020-15348 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows use of live/CPEManager/AXCampaignManager/delete_cpes_by_ids?cpe_ids= for eval injection of Python code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.8 | 1.8% | 69 |
PoC
No patch
|