1. Home
  2. Support Overview
  3. Security Advisories
  4. Zyxel security advisory for command injection vulnerabilities in certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders

Zyxel security advisory for command injection vulnerabilities in certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders

CVEs: CVE-2026-0711, CVE-2026-1460
Summary

Zyxel has released patches for specific firmware versions of its 4G LTE/5G NR CPE, DSL/Ethernet, CPE Fiber ONTs, and Wireless Extenders. These updates address command injection vulnerabilities. Users are strongly advised to install the patches to ensure optimal protection.

What are the vulnerabilities?

CVE-2026-0711

A post-authentication command injection vulnerability in the EasyMesh-related APIs of certain 4G LTE/5G NR CPE, DSL/Ethernet, CPE Fiber ONTs, and Wireless Extenders firmware versions could allow an authenticated, adjacent attacker with administrator privileges to execute OS commands on an affected device. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.

CVE-2026-1460

A post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP configuration file in certain 4G LTE/5G NR CPE, DSL/Ethernet, CPE Fiber ONTs, and Wireless Extenders firmware versions could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.

What versions are vulnerable—and what should you do?

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the tables below. Please note that the tables do not include customized models specifically designed for ISP customers. Any on-market product not listed in the table is not affected.


Table 1. Models affected by CVE-2026-0711
Product Affected model Affected version Patch availability*
4G LTE/5G NR CPE NR5307 2.00(ACJT.1)C0 and earlier 2.00(ACJT.3)C0
Nebula FWA515 1.60(ACPZ.0)C0 and earlier 1.60(ACPZ.0)V0
DSL/Ethernet CPE DX3300-T0 5.50(ABVY.7.1)C0 and earlier 5.50(ABVY.7.2)C0
DX3300-T1 5.50(ABVY.7.1)C0 and earlier 5.50(ABVY.7.2)C0
DX3301-T0 5.50(ABVY.7.1)C0 and earlier 5.50(ABVY.7.2)C0
DX5401-B0 5.17(ABYO.7.1)C0 and earlier 5.17(ABYO.7.2)C0 in May 2026
DX5401-B1 5.17(ABYO.7.1)C0 and earlier 5.17(ABYO.7.2)C0 in May 2026
EE3301-00 5.63(ACMU.2.1)C0 and earlier 5.63(ACMU.3.1)C0 in May 2026
EE5301-00 5.63(ACLD.2.1)C0 and earlier 5.63(ACLD.3.1)C0 in May 2026
EE6510-10 5.19(ACJQ.4.1)C0 and earlier 5.19(ACJQ.4.2)C0
EMG3525-T50B 5.50(ABPM.9.7)C0 and earlier 5.50(ABPM.9.8)C0
EMG5523-T50B 5.50(ABPM.9.7)C0 and earlier 5.50(ABPM.9.8)C0
EX3300-T0 5.50(ABVY.7.1)C0 and earlier 5.50(ABVY.7.2)C0
EX3300-T1 5.50(ABVY.7.1)C0 and earlier 5.50(ABVY.7.2)C0
EX3301-T0 5.50(ABVY.7.1)C0 and earlier 5.50(ABVY.7.2)C0
EX3500-T0 5.44(ACHR.5.1)C0 and earlier 5.44(ACHR.6)C0 in May 2026
EX3501-T0 5.44(ACHR.5.1)C0 and earlier 5.44(ACHR.6)C0 in May 2026
EX3600-T0 5.70(ACIF.2.1)C0 and earlier 5.70(ACIF.3)C0 in May 2026
EX5401-B0 5.17(ABYO.7.1)C0 and earlier 5.17(ABYO.7.2)C0
EX5401-B1 5.17(ABYO.7.1)C0 and earlier 5.17(ABYO.7.2)C0
EX5512-T0 5.70(ACEG.5.4)C0 and earlier 5.70(ACEG.5.5)C0
EX5601-T0 5.70(ACDZ.5.1)C0 and earlier 5.70(ACDZ.6)C0 in May 2026
EX5601-T1 5.70(ACDZ.5.1)C0 and earlier 5.70(ACDZ.6)C0 in May 2026
EX7501-B0 5.18(ACHN.3.1)C0 and earlier 5.18(ACHN.3.2)C0
VMG3625-T50B 5.50(ABPM.9.7)C0 and earlier 5.50(ABPM.9.8)C0
VMG8623-T50B 5.50(ABPM.9.7)C0 and earlier 5.50(ABPM.9.8)C0
Fiber ONTs AX7501-B0 5.17(ABPC.7.1)C0 and earlier 5.17(ABPC.7.2)C0
AX7501-B1 5.17(ABPC.7.1)C0 and earlier 5.17(ABPC.7.2)C0
PE3301-00 5.63(ACMT.2.1)C0 and earlier 5.63(ACMT.3.1)C0 in May 2026
PE5301-01 5.63(ACOJ.2.1)C0 and earlier 5.63(ACOJ.3.1)C0 in May 2026
PX5302-00 5.44(ACNM.0)C0 and earlier 5.44(ACNM.0.1)C0
PX5301-T0 5.44(ACKB.0.6)C0 and earlier 5.44(ACKB.0.7)C0
Wireless Extenders WE3300-00 5.70(ACKA.1.1)C0 and earlier 5.70(ACKA.2)C0 in May 2026
WX3100-T0 5.50(ABVL.4.9)C0 and earlier 5.50(ABVL.4.10)C0
WE4600-00 6.70(ACKT.0)C0 and earlier 6.70(ACKT.1)C0 in May 2026
WX5600-T0 5.70(ACEB.5.1)C0 and earlier 5.70(ACEB.6)C0 in May 2026

* Please contact your Zyxel sales representative or support team to obtain the file.

Table 2. Models affected by CVE-2026-1460
Product Affected model Affected version Patch availability*
4G LTE/5G NR CPENebula FWA701.51(ACRF.0)C0 and earlier1.51(ACRF.0)V0
Nebula FWA5051.60(ACKO.2)C0 and earlier1.60(ACKO.3)V0
Nebula FWA5101.60(ACGD.0)C0 and earlier1.60(ACGD.1)V0
Nebula FWA5151.60(ACPZ.0)C0 and earlier1.60(ACPZ.1)V0
Nebula FWA7101.60(ACGC.1)C0 and earlier1.60(ACGC.2)V0
Nebula LTE3301-PLUS1.18(ACCA.6)C0 and earlier1.18(ACCA.7)V0
Nebula LTE7461-M6021.15(ACEV.4)C0 and earlier1.15(ACEV.4)V0
Nebula NR51011.16(ACCG.1)C0 and earlier1.16(ACCG.1)V0
Nebula NR71011.16(ACCC.1)C0 and earlier1.16(ACCC.2)V0
DSL/Ethernet CPE DX3300-T05.50(ABVY.7.1)C0 and earlier5.50(ABVY.7.2)C0
DX3300-T15.50(ABVY.7.1)C0 and earlier5.50(ABVY.7.2)C0
DX3301-T05.50(ABVY.7.1)C0 and earlier5.50(ABVY.7.2)C0
DX5401-B15.17(ABYO.7.1)C0 and earlier5.17(ABYO.7.2)C0
EE3301-005.63(ACMU.2.1)C0 and earlier5.63(ACMU.3.1)C0 in May 2026
EE5301-005.63(ACLD.2.1)C0 and earlier5.63(ACLD.3.1)C0 in May 2026
EE6510-105.19(ACJQ.4.1)C0 and earlier5.19(ACJQ.4.2)C0
EMG3525-T50B5.50(ABPM.9.7)C0 and earlier5.50(ABPM.9.8)C0
EMG5523-T50B5.50(ABPM.9.7)C0 and earlier5.50(ABPM.9.8)C0
EX2210-T05.50(ACDI.2.4)C0 and earlier5.50(ACDI.2.5)C0
EX3300-T05.50(ABVY.7.1)C0 and earlier5.50(ABVY.7.2)C0
EX3300-T15.50(ABVY.7.1)C0 and earlier5.50(ABVY.7.2)C0
EX3301-T05.50(ABVY.7.1)C0 and earlier5.50(ABVY.7.2)C0
EX3500-T05.44(ACHR.5.1)C0 and earlier5.44(ACHR.6)C0 in May 2026
EX3501-T05.44(ACHR.5.1)C0 and earlier5.44(ACHR.6)C0 in May 2026
EX3600-T05.70(ACIF.2.1)C0 and earlier5.70(ACIF.3)C0 in May 2026
EX5401-B15.17(ABYO.7.1)C0 and earlier5.17(ABYO.7.2)C0
EX5512-T05.70(ACEG.5.4)C0 and earlier5.70(ACEG.5.5)C0
EX5601-T05.70(ACDZ.5.1)C0 and earlier5.70(ACDZ.6)C0 in May 2026
EX5601-T15.70(ACDZ.5.1)C0 and earlier5.70(ACDZ.6)C0 in May 2026
EX7501-B05.18(ACHN.3.1)C0 and earlier5.18(ACHN.3.2)C0
EX7710-B05.18(ACAK.1.6)C0 and earlier5.18(ACAK.1.7)C0
GM4100-B05.18(ACCL.2)C0 and earlier5.18(ACCL.2.1)C0
VMG3625-T50B5.50(ABPM.9.7)C0 and earlier5.50(ABPM.9.8)C0
VMG4005-B50A5.17(ABQA.3.2)C0 and earlier5.17(ABQA.3.3)C0
VMG4005-B60A5.17(ABQA.3.2)C0 and earlier5.17(ABQA.3.3)C0
VMG8623-T50B5.50(ABPM.9.7)C0 and earlier5.50(ABPM.9.8)C0
Fiber ONTsAM7510-005.63(ACOR.0.1)C0 and earlier5.63(ACOR.0.2)C0
AX7501-B15.17(ABPC.7.1)C0 and earlier5.17(ABPC.7.2)C0
PE3301-005.63(ACMT.2.1)C0 and earlier5.63(ACMT.3.1)C0 in May 2026
PE5301-015.63(ACOJ.2.1)C0 and earlier5.63(ACOJ.3.1)C0 in May 2026
PX5301-T05.44(ACKB.0.6)C0 and earlier5.44(ACKB.0.7)C0
PX5302-005.44(ACNM.0)C0 and earlier5.44(ACNM.0.1)C0
Wireless ExtendersWE3300-005.70(ACKA.1.1)C0 and earlier5.70(ACKA.2)C0 in May 2026
WE4600-006.70(ACKT.0)C0 and earlier6.70(ACKT.1)C0 in May 2026
WX5600-T05.70(ACEB.5.1)C0 and earlier5.70(ACEB.6)C0 in May 2026

* Please contact your Zyxel sales representative or support team to obtain the file.

For ISPs, please contact your Zyxel sales or service representatives for further details.

For end-users who acquired their Zyxel device from an ISP, we recommend reaching out directly to the ISP's support team, as the device may have custom-built settings.

For end-users who purchased their Zyxel device themselves, please contact your local Zyxel support team for the new firmware file to ensure optimal protection, or visit Zyxel's Community for further assistance.

Got a question?

Please contact your local service rep or visit Zyxel's Community for further information or assistance.

Acknowledgment

Thanks to the following security researchers:

  • Joni Gadd for CVE-2026-0711
  • Watchful IP for CVE-2026-1460
Revision history

2026-4-28: Initial release