Zyxel security advisory for null pointer dereference and command injection vulnerabilities in certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, Security Routers, and Wireless Extenders
CVEs: CVE-2025-11845, CVE-2025-11846, CVE-2025-11847, CVE-2025-11848, CVE-2025-13942, CVE-2025-13943, CVE-2026-1459
Summary
Zyxel has released patches for specific firmware versions of its 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, Security Routers, and Wireless Extenders. These updates address null pointer dereference and command injection vulnerabilities. Users are strongly advised to install the patches to maintain optimal protection.
What are the vulnerabilities?
CVE-2025-11845
A null pointer dereference vulnerability in the certificate downloader CGI program of certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, Security Routers, and Wireless Extenders firmware versions could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.
CVE-2025-11846
A null pointer dereference vulnerability in the account settings CGI program of certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, Security Routers, and Wireless Extenders firmware versions could allow an authenticated attacker with administrator privileges to trigger a DoS condition by sending a crafted HTTP request. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.
CVE-2025-11847
A null pointer dereference vulnerability in the IP settings CGI program of certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, Security Routers, and Wireless Extenders firmware versions could allow an authenticated attacker with administrator privileges to trigger a DoS condition by sending a crafted HTTP request. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.
CVE-2025-11848
A null pointer dereference vulnerability in the Wake-on-LAN CGI program of certain DSL/Ethernet CPE, Fiber ONTs, Security Routers, and Wireless Extenders firmware versions could allow an authenticated attacker with administrator privileges to trigger a DoS condition by sending a crafted HTTP request. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.
CVE-2025-13942
A command injection vulnerability in the UPnP function of certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests. It is important to note that WAN access is disabled by default on these devices, and the attack can be carried out remotely only if both WAN access and the vulnerable UPnP function have been enabled.
CVE-2025-13943
A post-authentication command injection vulnerability in the log file download function of certain DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow an authenticated attacker to execute OS commands on an affected device. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.
CVE-2026-1459
A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of certain DSL/Ethernet CPE firmware versions could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address these vulnerabilities, as shown in the tables below. Please note that the tables do not include customized models specifically designed for ISP customers. Any on-market product not listed in the table is not affected.
Table 1. Models affected by CVE-2025-11845
| Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
| 4G LTE/5G NR CPE | LTE3301-PLUS | 1.00(ABQU.8)C0 and earlier | 1.00(ABQU.9)C0 |
| Nebula FWA505 | 1.19(ACKO.0)C0 and earlier | 1.60(ACKO.2)V0 | |
| Nebula FWA510 | 1.20(ACGD.1)C0 and earlier | 1.60(ACGD.0)C0 | |
| Nebula FWA515 | 1.50(ACPZ.0)C0 and earlier | 1.60(ACPZ.0)V0 | |
| Nebula FWA710 | 1.20(ACGC.0)C0 and earlier | 1.60(ACGC.1)V0 | |
| Nebula LTE3301-PLUS | 1.18(ACCA.6)C0 and earlier | 1.18(ACCA.6)V0 | |
| DSL/Ethernet CPE | DX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| DX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| DX4510-B0 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 | |
| DX4510-B1 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 | |
| DX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 | |
| EE3301-00 | 5.63(ACMU.2)C0 and earlier | 5.63(ACMU.2.1)C0 | |
| EE5301-00 | 5.63(ACLD.2)C0 and earlier | 5.63(ACLD.2.1)C0 | |
| EE6510-10 | 5.19(ACJQ.4)C0 and earlier | 5.19(ACJQ.4.1)C0 | |
| EMG3525-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| EMG5523-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| EX2210-T0 | 5.50(ACDI.2.2)C0 and earlier | 5.50(ACDI.2.3)C0 | |
| EX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| EX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| EX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| EX3500-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 | |
| EX3501-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 | |
| EX3510-B0 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 | |
| EX3510-B1 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 | |
| EX3600-T0 | 5.70(ACIF.2)C0 and earlier | 5.70(ACIF.2.1)C0 | |
| EX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 | |
| EX5510-B0 | 5.17(ABQX.11)C0 and earlier | 5.17(ABQX.11.1)C0 | |
| EX5512-T0 | 5.70(ACEG.5.2)C0 and earlier | 5.70(ACEG.5.3)C0 | |
| EX5601-T0 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 | |
| EX5601-T1 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 | |
| EX7501-B0 | 5.18(ACHN.3)C0 and earlier | 5.18(ACHN.3.1)C0 | |
| EX7710-B0 | 5.18(ACAK.1.5)C0 and earlier | 5.18(ACAK.1.6)C0 | |
| GM4100-B0 | 5.18(ACCL.1.1)C0 and earlier | 5.18(ACCL.2)C0 | |
| VMG3625-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| VMG4005-B50A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 | |
| VMG4005-B60A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 | |
| VMG8623-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| Fiber ONTs | AX7501-B1 | 5.17(ABPC.7)C0 and earlier | 5.17(ABPC.7.1)C0 |
| PE3301-00 | 5.63(ACMT.2)C0 and earlier | 5.63(ACMT.2.1)C0 | |
| PE5301-01 | 5.63(ACOJ.2)C0 and earlier | 5.63(ACOJ.2.1)C0 | |
| PM3100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 | |
| PM5100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 | |
| PM5100-T1 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 | |
| PM7300-T0 | 5.42(ABYY.4)C0 and earlier | 5.42(ABYY.4.1)C0 | |
| PM7500-00 | 5.61(ACKK.1.1)C0 and earlier | 5.61(ACKK.1.2)C0 | |
| PX3321-T1 | 5.44(ACJB.1.4)C0 and earlier 5.44(ACHK.2)C0 and earlier |
5.44(ACJB.1.5)C0 5.44(ACHK.3)C0 |
|
| PX5301-T0 | 5.44(ACKB.0.5)C0 and earlier | 5.44(ACKB.0.6)C0 | |
| Security Routers | SCR 50AXE | 1.20(ACGN.0)C0 and earlier | 1.30(ACGN.0)C0 |
| Wireless Extenders | WE3300-00 | 5.70(ACKA.1)C0 and earlier | 5.70(ACKA.1.1)C0 |
| WX3100-T0 | 5.50(ABVL.4.8)C0 and earlier | 5.50(ABVL.4.9)C0 | |
| WX3401-B1 | 5.17(ABVE.2.9)C0 and earlier | 5.17(ABVE.2.10)C0 | |
| WX5600-T0 | 5.70(ACEB.5)C0 and earlier | 5.70(ACEB.5.1)C0 | |
| WX5610-B0 | 5.18(ACGJ.0.4)C0 and earlier | 5.18(ACGJ.0.5)C0 |
* Please contact your Zyxel sales representative or support team to obtain the file.
Table 2. Models affected by CVE-2025-11846
| Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
| 4G LTE/5G NR CPE | LTE3301-PLUS | 1.00(ABQU.8)C0 and earlier | 1.00(ABQU.9)C0 |
| Nebula FWA505 | 1.19(ACKO.0)C0 and earlier | 1.60(ACKO.2)V0 | |
| Nebula FWA510 | 1.20(ACGD.1)C0 and earlier | 1.60(ACGD.0)C0 | |
| Nebula FWA515 | 1.50(ACPZ.0)C0 and earlier | 1.60(ACPZ.0)V0 | |
| Nebula FWA710 | 1.20(ACGC.0)C0 and earlier | 1.60(ACGC.1)V0 | |
| Nebula LTE3301-PLUS | 1.18(ACCA.6)C0 and earlier | 1.18(ACCA.6)V0 | |
| DSL/Ethernet CPE | DX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| DX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| DX4510-B0 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 | |
| DX4510-B1 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 | |
| DX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 | |
| EE3301-00 | 5.63(ACMU.2)C0 and earlier | 5.63(ACMU.2.1)C0 | |
| EE5301-00 | 5.63(ACLD.2)C0 and earlier | 5.63(ACLD.2.1)C0 | |
| EE6510-10 | 5.19(ACJQ.4)C0 and earlier | 5.19(ACJQ.4.1)C0 | |
| EMG3525-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| EMG5523-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| EX2210-T0 | 5.50(ACDI.2.2)C0 and earlier | 5.50(ACDI.2.3)C0 | |
| EX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| EX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| EX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| EX3500-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 | |
| EX3501-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 | |
| EX3510-B0 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 | |
| EX3510-B1 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 | |
| EX3600-T0 | 5.70(ACIF.2)C0 and earlier | 5.70(ACIF.2.1)C0 | |
| EX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 | |
| EX5510-B0 | 5.17(ABQX.11)C0 and earlier | 5.17(ABQX.11.1)C0 | |
| EX5512-T0 | 5.70(ACEG.5.2)C0 and earlier | 5.70(ACEG.5.3)C0 | |
| EX5601-T0 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 | |
| EX5601-T1 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 | |
| EX7501-B0 | 5.18(ACHN.3)C0 and earlier | 5.18(ACHN.3.1)C0 | |
| EX7710-B0 | 5.18(ACAK.1.5)C0 and earlier | 5.18(ACAK.1.6)C0 | |
| GM4100-B0 | 5.18(ACCL.1.1)C0 and earlier | 5.18(ACCL.2)C0 | |
| VMG3625-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| VMG4005-B50A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 | |
| VMG4005-B60A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 | |
| VMG8623-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| Fiber ONTs | AX7501-B1 | 5.17(ABPC.7)C0 and earlier | 5.17(ABPC.7.1)C0 |
| PE3301-00 | 5.63(ACMT.2)C0 and earlier | 5.63(ACMT.2.1)C0 | |
| PE5301-01 | 5.63(ACOJ.2)C0 and earlier | 5.63(ACOJ.2.1)C0 | |
| PM3100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 | |
| PM5100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 | |
| PM5100-T1 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 | |
| PM7300-T0 | 5.42(ABYY.4)C0 and earlier | 5.42(ABYY.4.1)C0 | |
| PM7500-00 | 5.61(ACKK.1.1)C0 and earlier | 5.61(ACKK.1.2)C0 | |
| PX3321-T1 | 5.44(ACJB.1.4)C0 and earlier 5.44(ACHK.2)C0 and earlier |
5.44(ACJB.1.5)C0 5.44(ACHK.3)C0 |
|
| PX5301-T0 | 5.44(ACKB.0.5)C0 and earlier | 5.44(ACKB.0.6)C0 | |
| Security Routers | SCR 50AXE | 1.20(ACGN.0)C0 and earlier | 1.30(ACGN.0)C0 |
| Wireless Extenders | WE3300-00 | 5.70(ACKA.1)C0 and earlier | 5.70(ACKA.1.1)C0 |
| WX3100-T0 | 5.50(ABVL.4.8)C0 and earlier | 5.50(ABVL.4.9)C0 | |
| WX3401-B1 | 5.17(ABVE.2.9)C0 and earlier | 5.17(ABVE.2.10)C0 | |
| WX5600-T0 | 5.70(ACEB.5)C0 and earlier | 5.70(ACEB.5.1)C0 | |
| WX5610-B0 | 5.18(ACGJ.0.4)C0 and earlier | 5.18(ACGJ.0.5)C0 |
* Please contact your Zyxel sales representative or support team to obtain the file.
Table 3. Models affected by CVE-2025-11847
| Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
| 4G LTE/5G NR CPE | LTE3301-PLUS | 1.00(ABQU.8)C0 and earlier | 1.00(ABQU.9)C0 |
| Nebula FWA505 | 1.19(ACKO.0)C0 and earlier | 1.60(ACKO.2)V0 | |
| Nebula FWA510 | 1.20(ACGD.1)C0 and earlier | 1.60(ACGD.0)C0 | |
| Nebula FWA515 | 1.50(ACPZ.0)C0 and earlier | 1.60(ACPZ.0)V0 | |
| Nebula FWA710 | 1.20(ACGC.0)C0 and earlier | 1.60(ACGC.1)V0 | |
| Nebula LTE3301-PLUS | 1.18(ACCA.6)C0 and earlier | 1.18(ACCA.6)V0 | |
| DSL/Ethernet CPE | DX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| DX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| DX4510-B0 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 | |
| DX4510-B1 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 | |
| DX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 | |
| EE3301-00 | 5.63(ACMU.2)C0 and earlier | 5.63(ACMU.2.1)C0 | |
| EE5301-00 | 5.63(ACLD.2)C0 and earlier | 5.63(ACLD.2.1)C0 | |
| EE6510-10 | 5.19(ACJQ.4)C0 and earlier | 5.19(ACJQ.4.1)C0 | |
| EMG3525-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| EMG5523-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| EX2210-T0 | 5.50(ACDI.2.2)C0 and earlier | 5.50(ACDI.2.3)C0 | |
| EX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| EX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| EX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| EX3500-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 | |
| EX3501-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 | |
| EX3510-B0 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 | |
| EX3510-B1 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 | |
| EX3600-T0 | 5.70(ACIF.2)C0 and earlier | 5.70(ACIF.2.1)C0 | |
| EX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 | |
| EX5510-B0 | 5.17(ABQX.11)C0 and earlier | 5.17(ABQX.11.1)C0 | |
| EX5512-T0 | 5.70(ACEG.5.2)C0 and earlier | 5.70(ACEG.5.3)C0 | |
| EX5601-T0 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 | |
| EX5601-T1 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 | |
| EX7501-B0 | 5.18(ACHN.3)C0 and earlier | 5.18(ACHN.3.1)C0 | |
| EX7710-B0 | 5.18(ACAK.1.5)C0 and earlier | 5.18(ACAK.1.6)C0 | |
| GM4100-B0 | 5.18(ACCL.1.1)C0 and earlier | 5.18(ACCL.2)C0 | |
| VMG3625-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| VMG4005-B50A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 | |
| VMG4005-B60A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 | |
| VMG8623-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| Fiber ONTs | AX7501-B1 | 5.17(ABPC.7)C0 and earlier | 5.17(ABPC.7.1)C0 |
| PE3301-00 | 5.63(ACMT.2)C0 and earlier | 5.63(ACMT.2.1)C0 | |
| PE5301-01 | 5.63(ACOJ.2)C0 and earlier | 5.63(ACOJ.2.1)C0 | |
| PM3100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 | |
| PM5100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 | |
| PM5100-T1 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 | |
| PM7300-T0 | 5.42(ABYY.4)C0 and earlier | 5.42(ABYY.4.1)C0 | |
| PM7500-00 | 5.61(ACKK.1.1)C0 and earlier | 5.61(ACKK.1.2)C0 | |
| PX3321-T1 | 5.44(ACJB.1.4)C0 and earlier 5.44(ACHK.2)C0 and earlier |
5.44(ACJB.1.5)C0 5.44(ACHK.3)C0 |
|
| PX5301-T0 | 5.44(ACKB.0.5)C0 and earlier | 5.44(ACKB.0.6)C0 | |
| Security Routers | SCR 50AXE | 1.20(ACGN.0)C0 and earlier | 1.30(ACGN.0)C0 |
| Wireless Extenders | WE3300-00 | 5.70(ACKA.1)C0 and earlier | 5.70(ACKA.1.1)C0 |
| WX3100-T0 | 5.50(ABVL.4.8)C0 and earlier | 5.50(ABVL.4.9)C0 | |
| WX3401-B1 | 5.17(ABVE.2.9)C0 and earlier | 5.17(ABVE.2.10)C0 | |
| WX5600-T0 | 5.70(ACEB.5)C0 and earlier | 5.70(ACEB.5.1)C0 | |
| WX5610-B0 | 5.18(ACGJ.0.4)C0 and earlier | 5.18(ACGJ.0.5)C0 |
* Please contact your Zyxel sales representative or support team to obtain the file.
Table 4. Models affected by CVE-2025-11848
| Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
| DSL/Ethernet CPE | DX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| DX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| DX4510-B0 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 | |
| DX4510-B1 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 | |
| DX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 | |
| EE3301-00 | 5.63(ACMU.2)C0 and earlier | 5.63(ACMU.2.1)C0 | |
| EE5301-00 | 5.63(ACLD.2)C0 and earlier | 5.63(ACLD.2.1)C0 | |
| EE6510-10 | 5.19(ACJQ.4)C0 and earlier | 5.19(ACJQ.4.1)C0 | |
| EMG3525-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| EMG5523-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| EX2210-T0 | 5.50(ACDI.2.2)C0 and earlier | 5.50(ACDI.2.3)C0 | |
| EX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| EX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| EX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| EX3500-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 | |
| EX3501-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 | |
| EX3510-B0 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 | |
| EX3510-B1 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 | |
| EX3600-T0 | 5.70(ACIF.2)C0 and earlier | 5.70(ACIF.2.1)C0 | |
| EX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 | |
| EX5510-B0 | 5.17(ABQX.11)C0 and earlier | 5.17(ABQX.11.1)C0 | |
| EX5512-T0 | 5.70(ACEG.5.2)C0 and earlier | 5.70(ACEG.5.3)C0 | |
| EX5601-T0 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 | |
| EX5601-T1 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 | |
| EX7501-B0 | 5.18(ACHN.3)C0 and earlier | 5.18(ACHN.3.1)C0 | |
| EX7710-B0 | 5.18(ACAK.1.5)C0 and earlier | 5.18(ACAK.1.6)C0 | |
| GM4100-B0 | 5.18(ACCL.1.1)C0 and earlier | 5.18(ACCL.2)C0 | |
| VMG3625-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| VMG4005-B50A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 | |
| VMG4005-B60A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 | |
| VMG8623-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| Fiber ONTs | AX7501-B1 | 5.17(ABPC.7)C0 and earlier | 5.17(ABPC.7.1)C0 |
| PE3301-00 | 5.63(ACMT.2)C0 and earlier | 5.63(ACMT.2.1)C0 | |
| PE5301-01 | 5.63(ACOJ.2)C0 and earlier | 5.63(ACOJ.2.1)C0 | |
| PM3100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 | |
| PM5100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 | |
| PM5100-T1 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 | |
| PM7300-T0 | 5.42(ABYY.4)C0 and earlier | 5.42(ABYY.4.1)C0 | |
| PM7500-00 | 5.61(ACKK.1.1)C0 and earlier | 5.61(ACKK.1.2)C0 | |
| PX3321-T1 | 5.44(ACJB.1.4)C0 and earlier 5.44(ACHK.2)C0 and earlier |
5.44(ACJB.1.5)C0 5.44(ACHK.3)C0 |
|
| PX5301-T0 | 5.44(ACKB.0.5)C0 and earlier | 5.44(ACKB.0.6)C0 | |
| Security Routers | SCR 50AXE | 1.20(ACGN.0)C0 and earlier | 1.30(ACGN.0)C0 |
| Wireless Extenders | WE3300-00 | 5.70(ACKA.1)C0 and earlier | 5.70(ACKA.1.1)C0 |
| WX3100-T0 | 5.50(ABVL.4.8)C0 and earlier | 5.50(ABVL.4.9)C0 | |
| WX3401-B1 | 5.17(ABVE.2.9)C0 and earlier | 5.17(ABVE.2.10)C0 | |
| WX5600-T0 | 5.70(ACEB.5)C0 and earlier | 5.70(ACEB.5.1)C0 | |
| WX5610-B0 | 5.18(ACGJ.0.4)C0 and earlier | 5.18(ACGJ.0.5)C0 |
* Please contact your Zyxel sales representative or support team to obtain the file.
Table 5. Models affected by CVE-2025-13942
| Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
| 4G LTE/5G NR CPE | LTE3301-PLUS | 1.00(ABQU.8)C0 and earlier | 1.00(ABQU.9)C0 |
| NR7101 | 1.00(ABUV.11)C0 and earlier | 1.00(ABUV.12)B2 | |
| Nebula LTE3301-PLUS | 1.18(ACCA.6)C0 and earlier | 1.18(ACCA.6)V0 | |
| Nebula NR7101 | 1.16(ACCC.1)C0 and earlier | 1.16(ACCC.1)V0 | |
| DSL/Ethernet CPE | DX4510-B0 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 |
| DX4510-B1 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 | |
| EE6510-10 | 5.19(ACJQ.4)C0 and earlier | 5.19(ACJQ.4.1)C0 | |
| EMG6726-B10A | 5.13(ABNP.8.1)C1 and earlier | 5.13(ABNP.8.2)C1 | |
| EX2210-T0 | 5.50(ACDI.2.3)C0 and earlier | 5.50(ACDI.2.4)C0 | |
| EX3510-B0 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 | |
| EX3510-B1 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 | |
| EX5510-B0 | 5.17(ABQX.11)C0 and earlier | 5.17(ABQX.11.1)C0 | |
| EX5512-T0 | 5.70(ACEG.5.3)C0 and earlier | 5.70(ACEG.5.4)C0 | |
| EX7710-B0 | 5.18(ACAK.1.5)C0 and earlier | 5.18(ACAK.1.6)C0 | |
| VMG4927-B50A | 5.13(ABLY.10.1)C0 and earlier | 5.13(ABLY.10.2)C0 | |
| Fiber ONTs | PX3321-T1 | 5.44(ACJB.1.4)C0 and earlier 5.44(ACHK.2)C0 and earlier |
5.44(ACJB.1.5)C0 5.44(ACHK.3)C0 |
| PX5301-T0 | 5.44(ACKB.0.5)C0 and earlier | 5.44(ACKB.0.6)C0 | |
| Wireless Extenders | WX5610-B0 | 5.18(ACGJ.0.4)C0 and earlier | 5.18(ACGJ.0.5)C0 |
* Please contact your Zyxel sales representative or support team to obtain the file.
Table 6. Models affected by CVE-2025-13943
| Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
| DSL/Ethernet CPE | DM4200-B0 | 5.17(ACBS.1.5)C0 and earlier | 5.17(ACBS.1.6)C0 |
| DX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| DX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| DX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| DX4510-B0 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 | |
| DX4510-B1 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 | |
| DX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 | |
| EE3301-00 | 5.63(ACMU.2)C0 and earlier | 5.63(ACMU.2.1)C0 | |
| EE5301-00 | 5.63(ACLD.2)C0 and earlier | 5.63(ACLD.2.1)C0 | |
| EE6510-10 | 5.19(ACJQ.4)C0 and earlier | 5.19(ACJQ.4.1)C0 | |
| EMG3525-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| EMG5523-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| EMG6726-B10A | 5.13(ABNP.8.1)C1 and earlier | 5.13(ABNP.8.2)C1 | |
| EX2210-T0 | 5.50(ACDI.2.3)C0 and earlier | 5.50(ACDI.2.4)C0 | |
| EX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| EX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| EX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 | |
| EX3500-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 | |
| EX3501-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 | |
| EX3510-B0 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 | |
| EX3510-B1 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 | |
| EX3600-T0 | 5.70(ACIF.2)C0 and earlier | 5.70(ACIF.2.1)C0 | |
| EX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 | |
| EX5510-B0 | 5.17(ABQX.11)C0 and earlier | 5.17(ABQX.11.1)C0 | |
| EX5512-T0 | 5.70(ACEG.5.3)C0 and earlier | 5.70(ACEG.5.4)C0 | |
| EX5601-T0 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 | |
| EX5601-T1 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 | |
| EX7501-B0 | 5.18(ACHN.3)C0 and earlier | 5.18(ACHN.3.1)C0 | |
| EX7710-B0 | 5.18(ACAK.1.5)C0 and earlier | 5.18(ACAK.1.6)C0 | |
| GM4100-B0 | 5.18(ACCL.1.1)C0 and earlier | 5.18(ACCL.2)C0 | |
| VMG3625-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| VMG4005-B50A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 | |
| VMG4005-B60A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 | |
| VMG4927-B50A | 5.13(ABLY.10.1)C0 and earlier | 5.13(ABLY.10.2)C0 | |
| VMG8623-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 | |
| Fiber ONTs | AM7510-00 | 5.63(ACOR.0)C0 and earlier | 5.63(ACOR.0.1)C0 |
| AX7501-B1 | 5.17(ABPC.7)C0 and earlier | 5.17(ABPC.7.1)C0 | |
| PE3301-00 | 5.63(ACMT.2)C0 and earlier | 5.63(ACMT.2.1)C0 | |
| PE5301-01 | 5.63(ACOJ.2)C0 and earlier | 5.63(ACOJ.2.1)C0 | |
| PM3100-T0 | 5.42(ACBF.4.1)C0 and earlier | 5.42(ACBF.4.2)C0 | |
| PM5100-T0 | 5.42(ACBF.4.1)C0 and earlier | 5.42(ACBF.4.2)C0 | |
| PM5100-T1 | 5.42(ACBF.4.1)C0 and earlier | 5.42(ACBF.4.2)C0 | |
| PM7300-T0 | 5.42(ABYY.4)C0 and earlier | 5.42(ABYY.4.1)C0 | |
| PM7500-00 | 5.61(ACKK.1.1)C0 and earlier | 5.61(ACKK.1.2)C0 | |
| PX3321-T1 | 5.44(ACJB.1.4)C0 and earlier 5.44(ACHK.2)C0 and earlier |
5.44(ACJB.1.5)C0 5.44(ACHK.3)C0 |
|
| PX5301-T0 | 5.44(ACKB.0.5)C0 and earlier | 5.44(ACKB.0.6)C0 | |
| Wireless Extenders | WE3300-00 | 5.70(ACKA.1)C0 and earlier | 5.70(ACKA.1.1)C0 |
| WE4600-00 | 6.70(ACKT.0)B8 and earlier | 6.70(ACKT.0)C0 | |
| WX3100-T0 | 5.50(ABVL.4.8)C0 and earlier | 5.50(ABVL.4.9)C0 | |
| WX3401-B1 | 5.17(ABVE.2.9)C0 and earlier | 5.17(ABVE.2.10)C0 | |
| WX5600-T0 | 5.70(ACEB.5)C0 and earlier | 5.70(ACEB.5.1)C0 | |
| WX5610-B0 | 5.18(ACGJ.0.4)C0 and earlier | 5.18(ACGJ.0.5)C0 |
* Please contact your Zyxel sales representative or support team to obtain the file.
Table 7. Models affected by CVE-2026-1459
| Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
| DSL/Ethernet CPE | DX5401-B1 | 5.17(ABYO.7.1)C0 and earlier | 5.17(ABYO.7.2)C0 in Mar. 2026 |
| EMG3525-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 in Mar. 2026 | |
| EMG5523-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 in Mar. 2026 | |
| VMG3625-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 in Mar. 2026 | |
| VMG3625-T50C | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 in Mar. 2026 | |
| VMG8623-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 in Mar. 2026 |
* Please contact your Zyxel sales representative or support team to obtain the file.
For ISPs, please contact your Zyxel sales or service representatives for further details.
For end-users who acquired their Zyxel device from an ISP, we recommend reaching out directly to the ISP's support team, as the device may have custom-built settings.
For end-users who purchased their Zyxel device themselves, please contact your local Zyxel support team for the new firmware file to ensure optimal protection, or visit Zyxel's Community for further assistance.
Got a question?
Please contact your local service rep or visit Zyxel's Community for further information or assistance.
Acknowledgment
Thanks to the following security researchers:
- Tiantai Zhang from Purdue University for CVE-2025-11845, CVE-2025-11846, CVE-2025-11847, and CVE-2025-11848
- Víctor Fresco (@hacefresko) for CVE-2025-13942 and CVE-2025-13943
- Watchful IP for CVE-2026-1459
Revision history
2026-2-24: Initial release