17
CVEs
1
Critical
7
High
0
KEV
0
PoC
8
Unpatched C/H
0.0%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
1
HIGH
7
MEDIUM
9
LOW
0
Monthly CVE Trend
Affected Products (30)
Dx4510 B1 Firmware
8
Emg3525 T50b Firmware
8
Vmg8623 T50b Firmware
8
Dx5401 B1 Firmware
8
Px5301 T0 Firmware
8
Ee6510 10 Firmware
8
Px3321 T1 Firmware
8
Vmg3625 T50b Firmware
8
Wx5610 B0 Firmware
8
Ex5512 T0 Firmware
8
Ex7710 B0 Firmware
8
Ex5510 B0 Firmware
8
Emg5523 T50b Firmware
8
Dx3300 T0 Firmware
7
Ee3301 00 Firmware
7
Ex5601 T1 Firmware
7
Ex3501 T0 Firmware
7
Ex3301 T0 Firmware
7
Ex5601 T0 Firmware
7
Ex7501 B0 Firmware
7
Ex3300 T1 Firmware
7
Ex3300 T0 Firmware
7
Gm4100 B0 Firmware
7
Ex3500 T0 Firmware
7
Pe3301 00 Firmware
7
Ex3510 B0 Firmware
7
Ex3510 B1 Firmware
7
Ex3600 T0 Firmware
7
Ee5301 00 Firmware
7
Dx3301 T0 Firmware
7
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-13942 | Command injection in Zyxel EX3510-B0 router UPnP functionality via firmware versions through 5.17. Allows remote code execution through the UPnP service. | CRITICAL | 9.8 | 0.5% | 49 |
No patch
|
| CVE-2026-7256 | Command injection in Zyxel WRE6505 v2 firmware V1.00(ABDV.3)C0 allows unauthenticated adjacent network attackers to execute arbitrary operating system commands via crafted HTTP requests to the CGI interface. This vulnerability affects an end-of-life product with no vendor support, meaning no security patches will be released. Exploitation requires adjacent network access (same LAN segment) but no authentication, making it exploitable by any device on the local network including compromised IoT devices or malicious insiders. | HIGH | 8.8 | 0.8% | 45 |
No patch
|
| CVE-2025-13943 | A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware versions through 5.50(ABVY.7)C0 could allow an authenticated attacker to execute operating system (OS) commands on an affected device. [CVSS 8.8 HIGH] | HIGH | 8.8 | 0.2% | 44 |
No patch
|
| CVE-2026-7287 | Remote unauthenticated attackers can crash Zyxel NWA1100-N access points running customized firmware version 1.00(AACE.1)C0 by sending malformed HTTP requests that trigger buffer overflows in five distinct web server functions (formWep, formWlAc, formPasswordSetup, formUpgradeCert, formDelcert). The vulnerability enables denial-of-service attacks with high CVSS 7.5 severity but is limited to an end-of-life product according to Zyxel's reference documentation. No public exploit code identified at time of analysis, and EPSS data is unavailable for this recent CVE. | HIGH | 7.5 | 0.3% | 38 |
No patch
|
| CVE-2025-11730 | A post‑authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command in Zyxel ATP series firmware versions from V5.35 through V5.41, USG FLEX series firmware versions from V5.35 through V5.41, USG FLEX 50(W) series firmware versions from V5.35 through V5.41, and USG20(W)-VPN series firmware versions from V5.35 through V5.41 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device by supplying a specially crafted string as an argument to the CLI command. [CVSS 7.2 HIGH] | HIGH | 7.2 | 0.3% | 36 |
No patch
|
| CVE-2026-1460 | Command injection in Zyxel DX3301-T0 and EX3301-T0 routers allows authenticated administrators to execute arbitrary OS commands by injecting malicious input into the DomainName parameter of DHCP configuration. Affects firmware versions through 5.50(ABVY.7.1)C0. Vendor Zyxel has published a security advisory with remediation guidance. EPSS data not available; no public exploit identified at time of analysis. While CVSS score is 7.2 (High), practical risk is constrained by requirement for admin-level authentication, limiting exposure to credential compromise or malicious insider scenarios. | HIGH | 7.2 | 0.2% | 36 |
No patch
|
| CVE-2026-1459 | Zyxel VMG3625-T50B, DX5401 B1, and EMG5523 T50B devices with firmware through version 5.50(ABPM.9.7)C0 contain a post-authentication command injection vulnerability in the TR-369 certificate download function that allows authenticated administrators to execute arbitrary operating system commands. An attacker with admin credentials could leverage this to gain complete control over the affected device. No patch is currently available. | HIGH | 7.2 | 0.1% | 36 |
No patch
|
| CVE-2026-0711 | Command injection in EasyMesh APIs of Zyxel DX3300-T0 firmware through version 5.50(ABVY.7.1)C0 allows authenticated administrators with adjacent network access to execute arbitrary OS commands on the device. The vulnerability requires both administrator privileges and adjacent network positioning (AV:A), significantly limiting exposure to local network attackers rather than remote threat actors. CVSS 6.8 reflects high confidentiality, integrity, and availability impact but is constrained by elevated privilege and adjacency requirements. | MEDIUM | 6.8 | 0.2% | 34 |
No patch
|
| CVE-2026-7255 | Brute-force password attacks against the web management interface of Zyxel WRE6505 v2 firmware V1.00(ABDV.3)C0 succeed due to improper rate-limiting on authentication attempts, allowing adjacent LAN attackers to bypass authentication and gain administrative access without requiring valid credentials. The vulnerability affects a legacy wireless range extender model marked as end-of-life by Zyxel, with CVSS 6.5 reflecting high confidentiality impact but local network scope. | MEDIUM | 6.5 | 0.0% | 33 |
No patch
|
| CVE-2025-11845 | A null pointer dereference vulnerability in the certificate downloader CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. [CVSS 4.9 MEDIUM] | MEDIUM | 4.9 | 0.1% | 25 |
No patch
|
| CVE-2025-11846 | A null pointer dereference vulnerability in the account settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. [CVSS 4.9 MEDIUM] | MEDIUM | 4.9 | 0.1% | 25 |
No patch
|
| CVE-2025-11847 | A null pointer dereference vulnerability in the IP settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. [CVSS 4.9 MEDIUM] | MEDIUM | 4.9 | 0.1% | 25 |
No patch
|
| CVE-2025-11848 | A null pointer dereference vulnerability in the Wake-on-LAN CGI program of the Zyxel VMG3625-T50B firmware version through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. [CVSS 4.9 MEDIUM] | MEDIUM | 4.9 | 0.1% | 25 |
No patch
|
| CVE-2026-6058 | Denial-of-service in Zyxel WRE6505 v2 firmware via improper encoding in the CGI program allows an adjacent WLAN attacker to crash the web management interface by crafting a malformed SSID and convincing an authenticated administrator to visit the 'AP Select' page. CVSS 4.5 (moderate) with attack vector limited to adjacent networks (Wi-Fi range). No public exploit code identified; Zyxel has marked this as unsupported (end-of-life product). | MEDIUM | 4.5 | 0.0% | 23 |
No patch
|
| CVE-2026-7257 | Zyxel WRE6505 v2 firmware stores sensitive configuration data in an insecure manner, allowing local administrators to download and decrypt backup configuration files, leading to disclosure of confidential credentials and network settings. The vulnerability affects firmware version V1.00(ABDV.3)C0 and requires local access with administrative privileges. No public exploit code or active exploitation has been identified; however, the product is no longer supported by Zyxel, limiting patch availability. | MEDIUM | 4.4 | 0.0% | 22 |
No patch
|