{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1459", "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f", "state": "PUBLISHED", "assignerShortName": "Zyxel", "dateReserved": "2026-01-27T01:26:24.186Z", "datePublished": "2026-02-24T02:48:35.439Z", "dateUpdated": "2026-02-26T14:44:10.011Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "VMG3625-T50B firmware", "vendor": "Zyxel", "versions": [{"status": "affected", "version": "<= 5.50(ABPM.9.7)C0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel&nbsp;VMG3625-T50B firmware versions through&nbsp;5.50(ABPM.9.7)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device."}], "value": "A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel\u00a0VMG3625-T50B firmware versions through\u00a05.50(ABPM.9.7)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f", "shortName": "Zyxel", "dateUpdated": "2026-02-24T02:48:35.439Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1459", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T04:55:35.642079Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:10.011Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1459", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T04:55:35.642079Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T19:18:43.312Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Zyxel", "product": "VMG3625-T50B firmware", "versions": [{"status": "affected", "version": "<= 5.50(ABPM.9.7)C0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel\u00a0VMG3625-T50B firmware versions through\u00a05.50(ABPM.9.7)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device.", "supportingMedia": [{"type": "text/html", "value": "A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel&nbsp;VMG3625-T50B firmware versions through&nbsp;5.50(ABPM.9.7)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f", "shortName": "Zyxel", "dateUpdated": "2026-02-24T02:48:35.439Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1459", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:44:10.011Z", "dateReserved": "2026-01-27T01:26:24.186Z", "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f", "datePublished": "2026-02-24T02:48:35.439Z", "assignerShortName": "Zyxel"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:vmg8623-t50b_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "675946F8-788D-4ABE-BDBF-AE65096C9B1B", "versionEndIncluding": "5.50\\(abpm.9.7\\)c0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:vmg8623-t50b:-:*:*:*:*:*:*:*", "matchCriteriaId": "C3535B63-318C-4EB5-ADC8-0AF3FB443DFC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:dx5401-b1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "59AA9207-A8B5-49EB-8186-277219F3F5BD", "versionEndIncluding": "5.17\\(abyo.7.1\\)c0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:dx5401-b1:-:*:*:*:*:*:*:*", "matchCriteriaId": "AFE5C53C-4255-4AEE-A49E-36C1A2CF10F5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:emg3525-t50b_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD74F6CA-CB8B-4EB0-AE3D-161A191DE3EF", "versionEndIncluding": "5.50\\(abpm.9.7\\)c0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:emg3525-t50b:-:*:*:*:*:*:*:*", "matchCriteriaId": "9259E2F6-885D-4B44-8D40-20758DA599D2", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:emg5523-t50b_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA0C31A9-963F-47B1-A3BD-073B8CE474BA", "versionEndIncluding": "5.50\\(abpm.9.7\\)c0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:emg5523-t50b:-:*:*:*:*:*:*:*", "matchCriteriaId": "F3ECE0EB-C429-4716-ABFB-73540847EB9E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:vmg3625-t50b_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "17CB6CFB-DE72-427F-9BB5-D1AE5DDF0A09", "versionEndIncluding": "5.50\\(abpm.9.7\\)c0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:vmg3625-t50b:-:*:*:*:*:*:*:*", "matchCriteriaId": "BB5E8468-D12F-4CBE-AC7E-27D5A928A85A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:vmg3625-t50c_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2BC4B86-23E5-4966-8854-BAE4DD565812", "versionEndIncluding": "5.50\\(abpm.9.7\\)c0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:vmg3625-t50c:-:*:*:*:*:*:*:*", "matchCriteriaId": "E3E07638-F7CA-451D-BB96-3E8C8752AD3D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel\u00a0VMG3625-T50B firmware versions through\u00a05.50(ABPM.9.7)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de comandos post-autenticaci\u00f3n en el programa CGI de descarga de certificados TR-369 de las versiones de firmware Zyxel VMG3625-T50B hasta la 5.50(ABPM.9.7)C0 podr\u00eda permitir a un atacante autenticado con privilegios de administrador ejecutar comandos del sistema operativo (SO) en un dispositivo afectado."}], "id": "CVE-2026-1459", "lastModified": "2026-02-25T18:05:40.307", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@zyxel.com.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-24T03:16:00.587", "references": [{"source": "security@zyxel.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026"}], "sourceIdentifier": "security@zyxel.com.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@zyxel.com.tw", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.50(ABPM.9.7)C0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "VMG3625-T50B firmware", "source": "cna", "vendor": "Zyxel"}, "product": "vmg3625-t50b_firmware", "vendor": "zyxel"}], "analysis": {"en": {"generated_at": "2026-04-18T10:57:40.811715+00:00", "value": {"mitigation_remediation": ["Upgrade the device firmware to the latest Zyxel release that resolves the command injection vulnerability.", "Disable or restrict the TR\u2011369 certificate download CGI endpoint via the router\u2019s configuration or firewall rules if a patch is unavailable.", "Limit administrative access to trusted management networks and apply network segmentation to reduce the chance of credential compromise.", "Monitor device logs for anomalous command executions and implement intrusion detection rules targeting suspicious CGI inputs."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution via command injection"}, "threat_synthesis": {"affected_systems": "Zyxel routers including the VMG3625\u2011T50B firmware versions up to 5.50(ABPM.9.7)C0. The issue is tied to the TR\u2011369 certificate download CGI program and affects devices that are running the aforementioned firmware without applied vendor updates.", "description_and_impact": "The vulnerability allows an attacker who has successfully authenticated with administrative privileges on the Zyxel VMG3625\u2011T50B device to execute arbitrary operating system commands. Because the flaw is a classic OS command injection, the attacker could modify, delete, or exfiltrate system files, install backdoors, or otherwise take full control of the device. The weakness falls under CWE\u201178 and carries a CVSS score of 7.2, indicating a high severity level that can compromise the confidentiality, integrity, and availability of the network device and any services dependent on it.", "risk_and_exploitability": "The vulnerability is exploitable only after the attacker has obtained valid administrator credentials, which implies a post\u2011authentication attack vector. The EPSS score of less than 1% indicates a very low but non\u2011zero probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, because an attacker can achieve complete control over the device, the risk remains significant. The primary conditions for exploitation are network access to the device and possession of administrative authentication. No additional prerequisites such as privilege escalation or local physical access are required once the credentials are in hand."}}}}, "created": "2026-02-24T09:53:07.507786+00:00", "title": "Post-Authentication Command Injection in Zyxel VMG3625\u2011T50B Firmware", "updated": "2026-04-18T11:00:05.749110+00:00", "vendors": ["zyxel", "zyxel$PRODUCT$vmg3625-t50b_firmware"]}