Zyxel security advisory for buffer overflow vulnerabilities in the UPnP function of certain 4G LTE/5G NR CPE and DSL/Ethernet CPE
CVEs: CVE-2026-3870, CVE-2026-3871
Summary
Zyxel has released patches for specific firmware versions of certain 4G LTE/5G NR CPE and DSL/Ethernet CPE devices to address buffer overflow vulnerabilities. Users are strongly advised to install these patches to ensure optimal protection.
What are the vulnerabilities?
CVE-2026-3870
A buffer overflow vulnerability in the UPnP AddPortMapping() command in certain DSL/Ethernet CPE firmware versions could allow an adjacent attacker to trigger a temporary denial-of-service (DoS) condition affecting the UPnP function of the affected device. It is important to note that this vulnerability can only be exploited within a LAN/WLAN environment, and the device will continue to function as expected when processing network traffic, even if the attack is successful.
CVE-2026-3871
A buffer overflow vulnerability in the UPnP DeletePortMapping() command in certain 4G LTE/5G NR CPE and DSL/Ethernet CPE firmware versions could allow an adjacent attacker to trigger a temporary DoS condition affecting the UPnP function of the affected device. It is important to note that this vulnerability can only be exploited within a LAN/WLAN environment, and the device will continue to function as expected when processing network traffic, even if the attack is successful.
What versions are vulnerable—and what should you do?
After a thorough investigation, we identified the vulnerable products within their vulnerability support period and released firmware patches to address these vulnerabilities, as shown in the tables below. Please note that the tables do not include customized models specifically designed for ISP customers. Any product currently on the market that is not listed in the tables is not affected.
Table 1. Models affected by CVE-2026-3870
| Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
| DSL/Ethernet CPE | VMG4005-B50B | 5.13(ABRL.5.4)C0 and earlier | 5.13(ABRL.5.5)C0 |
* Please contact your Zyxel sales representative or support team to obtain the file.
Table 2. Models affected by CVE-2026-3871
| Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
| 4G LTE/5G NR CPE | NR7101 | 1.00(ABUV.11)C0 and earlier | 1.00(ABUV.12)B4 |
| Nebula LTE3301-PLUS | 1.18(ACCA.6)C0 and earlier | 1.18(ACCA.8)V0 | |
| Nebula NR7101 | 1.16(ACCC.1)C0 and earlier | 1.16(ACCC.3)V0 | |
| DSL/Ethernet CPE | VMG4005-B50B | 5.13(ABRL.5.4)C0 and earlier | 5.13(ABRL.5.5)C0 |
* Please contact your Zyxel sales representative or support team to obtain the file.
For ISPs, please contact your Zyxel sales or service representatives for further details.
For end-users who acquired their Zyxel device from an ISP, we recommend reaching out directly to the ISP's support team, as the device may have custom-built settings.
For end-users who purchased their Zyxel device themselves, please contact your local Zyxel support team for the new firmware file to ensure optimal protection, or visit Zyxel's Community for further assistance.
Got a question?
Please contact your local service rep or visit Zyxel's Community for further information or assistance.
Acknowledgment
Thanks to McCaulay Hudson from watchTowr for reporting the issues to us.
Revision history
2026-6-2: Initial release