Full Report
Zyxel security advisory (AV26-167)
Analysis Summary
# Vulnerability: Multiple Flaws in Zyxel CPE, Fiber ONTs, and Security Routers
## CVE Details
- **CVE ID:** CVE-2025-0610
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-78 (OS Command Injection)
- **CVE ID:** CVE-2025-0611
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-476 (NULL Pointer Dereference)
## Affected Systems
- **Products:** 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, Security Routers, and Wireless Extenders.
- **Versions:**
* **NR/LTE Series:** NR7101, LTE3301-PLUS, LTE3316-M604, LTE5388-M804, LTE5398-M904, NR5103.
* **DSL/Ethernet Series:** AM3100-B0, DX3300-T0, DX3301-T0, DX5401-B0, EX3300-T0, EX3301-T0, EX5401-B0.
* **Fiber ONT Series:** PM3100-BA, PM5100-BA, PX3321-T1.
* **Security Routers:** SCR 50AXE.
* **Wireless Extenders:** WX3100-T0, WX3401-B0, WX5401-B0.
- **Configurations:** Systems running factory default or unpatched firmware versions.
## Vulnerability Description
This advisory addresses two distinct classes of vulnerabilities:
1. **CVE-2025-0610 (OS Command Injection):** An OS command injection vulnerability in the web interface of certain devices. This flaw allows an unauthenticated attacker to execute arbitrary operating system commands by sending a specially crafted HTTP request.
2. **CVE-2025-0611 (NULL Pointer Dereference):** A NULL pointer dereference vulnerability in the web interface that could allow an unauthenticated attacker to cause a DoS (Denial of Service) condition by sending crafted packets, forcing the service to crash or restart.
## Exploitation
- **Status:** No reports of exploitation in the wild at the time of the advisory.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (CVE-2025-0610)
- **Integrity:** Total (CVE-2025-0610)
- **Availability:** High (Both CVEs)
## Remediation
### Patches
Zyxel has released firmware updates for the affected models. It is recommended that users contact their local Zyxel support representatives or check the official Zyxel download center for the following patched versions (or newer):
- **NR7101:** V1.00(ABUV.10)C0
- **LTE3301-PLUS:** V1.00(ABOL.10)C0
- **EX3300-T0:** V5.50(ABVY.6)C0
- **SCR 50AXE:** V1.10(ACCO.3)C0
- *(Note: Please consult the vendor advisory for the full list of specific firmware strings per model).*
### Workarounds
- **Restrict Access:** Restrict access to the web management interface (HTTP/HTTPS) from the WAN side.
- **Firewalling:** Ensure the management interface is only accessible via trusted internal networks or VPNs.
## Detection
- **Indicators of Compromise:** Monitor web server logs for unusual characters in HTTP parameters (e.g., `;`, `&`, `|`) or unexpected reboots of the device management service.
- **Detection methods:** Vulnerability scanners updated with the latest signatures for Zyxel products should be used to verify firmware versions.
## References
- **Vendor advisory:** hxxps[://]www[.]zyxel[.]com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026
- **General Zyxel Security:** hxxps[://]www[.]zyxel[.]com/global/en/support/security-advisories
- **CCCS Bulletin:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/zyxel-security-advisory-av26-167