CVE-2026-1459

A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.7)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:zyxel:vmg8623-t50b_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:vmg8623-t50b:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:zyxel:dx5401-b1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:dx5401-b1:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:zyxel:emg3525-t50b_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:emg3525-t50b:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:zyxel:emg5523-t50b_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:emg5523-t50b:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:zyxel:vmg3625-t50b_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:vmg3625-t50b:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:zyxel:vmg3625-t50c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:vmg3625-t50c:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-24 03:16

Updated : 2026-02-25 18:05

NVD link : CVE-2026-1459

Mitre link : CVE-2026-1459

CVE.ORG link : CVE-2026-1459

JSON object : View

Products Affected

zyxel

vmg3625-t50b
vmg3625-t50c_firmware
emg5523-t50b_firmware
emg3525-t50b
vmg3625-t50b_firmware
vmg8623-t50b
emg5523-t50b
dx5401-b1_firmware
vmg3625-t50c
vmg8623-t50b_firmware
emg3525-t50b_firmware
dx5401-b1

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-1459", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@zyxel.com.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2026-02-24T03:16:00.587", "references": [{"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026", "tags": ["Vendor Advisory"], "source": "security@zyxel.com.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@zyxel.com.tw", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel\u00a0VMG3625-T50B firmware versions through\u00a05.50(ABPM.9.7)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de comandos post-autenticaci\u00f3n en el programa CGI de descarga de certificados TR-369 de las versiones de firmware Zyxel VMG3625-T50B hasta la 5.50(ABPM.9.7)C0 podr\u00eda permitir a un atacante autenticado con privilegios de administrador ejecutar comandos del sistema operativo (SO) en un dispositivo afectado."}], "lastModified": "2026-02-25T18:05:40.307", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:vmg8623-t50b_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "675946F8-788D-4ABE-BDBF-AE65096C9B1B", "versionEndIncluding": "5.50\\(abpm.9.7\\)c0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:vmg8623-t50b:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C3535B63-318C-4EB5-ADC8-0AF3FB443DFC"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:dx5401-b1_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59AA9207-A8B5-49EB-8186-277219F3F5BD", "versionEndIncluding": "5.17\\(abyo.7.1\\)c0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:dx5401-b1:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "AFE5C53C-4255-4AEE-A49E-36C1A2CF10F5"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:emg3525-t50b_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FD74F6CA-CB8B-4EB0-AE3D-161A191DE3EF", "versionEndIncluding": "5.50\\(abpm.9.7\\)c0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:emg3525-t50b:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9259E2F6-885D-4B44-8D40-20758DA599D2"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:emg5523-t50b_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA0C31A9-963F-47B1-A3BD-073B8CE474BA", "versionEndIncluding": "5.50\\(abpm.9.7\\)c0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:emg5523-t50b:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F3ECE0EB-C429-4716-ABFB-73540847EB9E"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:vmg3625-t50b_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17CB6CFB-DE72-427F-9BB5-D1AE5DDF0A09", "versionEndIncluding": "5.50\\(abpm.9.7\\)c0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:vmg3625-t50b:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "BB5E8468-D12F-4CBE-AC7E-27D5A928A85A"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:vmg3625-t50c_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A2BC4B86-23E5-4966-8854-BAE4DD565812", "versionEndIncluding": "5.50\\(abpm.9.7\\)c0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:vmg3625-t50c:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E3E07638-F7CA-451D-BB96-3E8C8752AD3D"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@zyxel.com.tw"}