Zyxel security advisory for uncontrolled resource consumption and command injection vulnerabilities in certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, Security Routers, and Wireless Extenders
CVEs: CVE-2025-6599, CVE-2025-8693
Summary
Zyxel has released patches for certain firmware versions of its 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, Security Routers, and Wireless Extenders. These updates address an uncontrolled resource consumption vulnerability and a post-authentication command injection vulnerability. Users are strongly advised to install the patches to ensure optimal protection.
What are the vulnerabilities?
CVE-2025-6599
The uncontrolled resource consumption vulnerability in the web server of certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, Security Routers, and Wireless Extenders firmware versions could allow an attacker to perform Slowloris‑style denial‑of‑service (DoS) attacks. Such attacks may temporarily block legitimate HTTP requests and partially disrupt access to the web management interface, while other networking services remain unaffected.
CVE-2025-8693
The post-authentication command injection vulnerability in the "priv" parameter of the CGI program in certain DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow an authenticated attacker to execute operating system (OS) commands on an affected device. It is important to note that WAN access is disabled by default on these devices, and the attack can only succeed if the strong, unique user passwords have been compromised.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products within their vulnerability support period and have released firmware patches to address these vulnerabilities, as shown in the tables below. Please note that the tables do not include customized models specifically designed for ISP customers. Any on-market product not listed in the table is not affected.
Table 1. Models affected by CVE-2025-6599
| Product | Affected model | Affected version | Patch availability |
|---|---|---|---|
| 4G LTE/5G NR CPE | LTE3301-PLUS | 1.00(ABQU.7)C0 and earlier | 1.00(ABQU.8)C0* |
| NR5103 | 4.19(ABYC.8)C0 and earlier | 4.19(ABYC.9)C0* | |
| NR5103E | 1.00(ACDJ.1)C0 and earlier | 1.00(ACDJ.2)C0* | |
| NR5309 | 1.00(ACKP.1)b3 and earlier | 1.00(ACKP.1)C0* | |
| NR7302 | 5.00(ACHA.5)C0 and earlier | 1.00(ACHA.6)C0* | |
| NR7303 | 1.00(ACEI.1)C0 and earlier | 1.00(ACEI.2)C0* | |
| Nebula FWA505 | 1.19(ACKO.0)C0 and earlier | 1.60(ACKO.0)C0* | |
| Nebula FWA510 | 1.20(ACGD.1)C0 and earlier | 1.60(ACGD.0)C0* | |
| Nebula FWA515 | 1.50(ACPZ.0)C0 and earlier | 1.60(ACPZ.0)C0* | |
| Nebula FWA710 | 1.20(ACGC.0)C0 and earlier | 1.60(ACGC.0)C0* | |
| DSL/Ethernet CPE | DM4200-B0 | 5.17(ACBS.1.3)C0 and earlier | 5.17(ACBS.1.4)C0* |
| DX3300-T0 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* | |
| DX3300-T1 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* | |
| DX3301-T0 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* | |
| DX4510-B1 | 5.17(ABYL.9)C0 and earlier | 5.17(ABYL.9.1)C0* | |
| DX5401-B0 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* | |
| DX5401-B1 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* | |
| EE3301-00 | 5.63(ACMU.1.1)C0 and earlier | 5.63(ACMU.2)C0* | |
| EE5301-00 | 5.63(ACLD.1.1)C0 and earlier | 5.63(ACLD.2)C0* | |
| EE6510-10 | 5.19(ACJQ.3)C0 and earlier | 5.19(ACJQ.4)C0* | |
| EX3300-T0 | 5.50(ABVY.6.3)C0 and earlier 5.50(ACDI.2.1)C0 and earlier |
5.50(ABVY.6.4)C0* 5.50(ACDI.2.2)C0* |
|
| EX3300-T1 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* | |
| EX3301-T0 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* | |
| EX3500-T0 | 5.44(ACHR.4)C0 and earlier | 5.44(ACHR.4.1)C0* | |
| EX3501-T0 | 5.44(ACHR.4)C0 and earlier | 5.44(ACHR.4.1)C0* | |
| EX3600-T0 | 5.70(ACIF.1.2)C0 and earlier | 5.70(ACIF.1.3)C0* | |
| EX5401-B0 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* | |
| EX5401-B1 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* | |
| EX5501-B0 | 5.17(ABRY.5.5)C0 and earlier | 5.17(ABRY.5.6)C0* | |
| EX5510-B0 | 5.17(ABQX.10)C0 and earlier | 5.17(ABQX.11)C0* | |
| EX5512-T0 | 5.70(ACEG.5)C0 and earlier | 5.70(ACEG.5.1)C0* | |
| EX5601-T0 | 5.70(ACDZ.4.1)C0 and earlier | 5.70(ACDZ.4.3)C0* | |
| EX5601-T1 | 5.70(ACDZ.4.1)C0 and earlier | 5.70(ACDZ.4.3)C0* | |
| EX7501-B0 | 5.18(ACHN.2.1)C0 and earlier | 5.18(ACHN.2.2)C0* | |
| EX7710-B0 | 5.18(ACAK.1.4)C0 and earlier | 5.18(ACAK.1.5)C0* | |
| EMG3525-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* | |
| EMG5523-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* | |
| EMG5723-T50K | 5.50(ABOM.8.6)C0 and earlier | 5.50(ABOM.8.7)C0* | |
| EMG6726-B10A | 5.13(ABNP.8)C0 and earlier | 5.13(ABNP.8.1)C0* | |
| GM4100-B0 | 5.18(ACCL.1)C0 and earlier | 5.18(ACCL.1.1)C0* | |
| VMG3625-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* | |
| VMG3927-B50B | 5.13(ABLY.10)C0 and earlier | 5.13(ABLY.10.1)C0* | |
| VMG3927-T50K | 5.50(ABOM.8.6)C0 and earlier | 5.50(ABOM.8.7)C0* | |
| VMG4005-B50A | 5.17(ABQA.3)C0 and earlier | 5.17(ABQA.3.1)C0* | |
| VMG4005-B60A | 5.17(ABQA.3)C0 and earlier | 5.17(ABQA.3.1)C0* | |
| VMG4005-B50B | 5.13(ABRL.5.3)C0 and earlier | 5.13(ABRL.5.4)C0* | |
| VMG4927-B50A | 5.13(ABLY.10)C0 and earlier | 5.13(ABLY.10.1)C0* | |
| VMG8623-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* | |
| VMG8825-T50K | 5.50(ABOM.8.6)C0 and earlier | 5.50(ABOM.8.7)C0* | |
| Fiber ONTs | AX7501-B0 | 5.17(ABPC.6.1)C0 and earlier | 5.17(ABPC.6.2)C0* |
| AX7501-B1 | 5.17(ABPC.6.1)C0 and earlier | 5.17(ABPC.6.2)C0* | |
| PE3301-00 | 5.63(ACMT.1.1)C0 and earlier | 5.63(ACMT.2)C0* | |
| PE5301-01 | 5.63(ACOJ.1.1)C0 and earlier | 5.63(ACOJ.2)C0* | |
| PM3100-T0 | 5.42(ACBF.3)C0 and earlier | 5.42(ACBF.4)C0* | |
| PM5100-T0 | 5.42(ACBF.3)C0 and earlier | 5.42(ACBF.4)C0* | |
| PM7500-00 | 5.61(ACKK.1)C0 and earlier | 5.61(ACKK.1.1)C0* | |
| PM7300-T0 | 5.42(ABYY.3)C0 and earlier | 5.42(ABYY.4)C0* | |
| PX3321-T1 | 5.44(ACJB.1.3)C0 and earlier 5.44(ACHK.1)C0 and earlier |
5.44(ACJB.1.4)C0* 5.44(ACHK.2)C0* |
|
| PX5301-T0 | 5.44(ACKB.0.4)C0 and earlier | 5.44(ACKB.0.5)C0* | |
| Security Routers | SCR 50AXE | 1.10(ACGN.3)C0 and earlier | 1.20(ACGN.0)C0** |
| Wireless Extenders | WE3300-00 | 5.70(ACKA.0)C0 and earlier | 5.70(ACKA.1)C0* |
| WX3100-T0 | 5.50(ABVL.4.7)C0 and earlier | 5.50(ABVL.4.8)C0* | |
| WX3401-B0 | 5.17(ABVE.2.8)C0 and earlier | 5.17(ABVE.2.9)C0* | |
| WX3401-B1 | 5.17(ABVE.2.8)C0 and earlier | 5.17(ABVE.2.9)C0* | |
| WX5600-T0 | 5.70(ACEB.4.1)C0 and earlier | 5.70(ACEB.4.3)C0* | |
| WX5610-B0 | 5.18(ACGJ.0.3)C0 and earlier | 5.18(ACGJ.0.4)C0* |
* Please contact your Zyxel sales representative or support team to obtain the file.
** Updated by cloud.
Table 2. Models affected by CVE-2025-8693
| Product | Affected model | Affected version | Patch availability |
|---|---|---|---|
| DSL/Ethernet CPE | DM4200-B0 | 5.17(ACBS.1.3)C0 and earlier | 5.17(ACBS.1.4)C0* |
| DX3300-T0 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* | |
| DX3300-T1 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* | |
| DX3301-T0 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* | |
| DX4510-B1 | 5.17(ABYL.9)C0 and earlier | 5.17(ABYL.9.1)C0* | |
| DX5401-B0 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* | |
| DX5401-B1 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* | |
| EE3301-00 | 5.63(ACMU.1.1)C0 and earlier | 5.63(ACMU.2)C0* | |
| EE5301-00 | 5.63(ACLD.1.1)C0 and earlier | 5.63(ACLD.2)C0* | |
| EE6510-10 | 5.19(ACJQ.3)C0 and earlier | 5.19(ACJQ.4)C0* | |
| EX3300-T0 | 5.50(ABVY.6.3)C0 and earlier 5.50(ACDI.2.1)C0 and earlier |
5.50(ABVY.6.4)C0* 5.50(ACDI.2.2)C0* |
|
| EX3300-T1 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* | |
| EX3301-T0 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* | |
| EX3500-T0 | 5.44(ACHR.4)C0 and earlier | 5.44(ACHR.4.1)C0* | |
| EX3501-T0 | 5.44(ACHR.4)C0 and earlier | 5.44(ACHR.4.1)C0* | |
| EX3510-B0 | 5.17(ABUP.15)C0 and earlier | 5.17(ABUP.15.1)C0* | |
| EX3510-B1 | 5.17(ABUP.15)C0 and earlier | 5.17(ABUP.15.1)C0* | |
| EX3600-T0 | 5.70(ACIF.1.2)C0 and earlier | 5.70(ACIF.1.3)C0* | |
| EX5401-B0 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* | |
| EX5401-B1 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* | |
| EX5501-B0 | 5.17(ABRY.5.5)C0 and earlier | 5.17(ABRY.5.6)C0* | |
| EX5510-B0 | 5.17(ABQX.10)C0 and earlier | 5.17(ABQX.11)C0* | |
| EX5512-T0 | 5.70(ACEG.5)C0 and earlier | 5.70(ACEG.5.1)C0* | |
| EX5601-T0 | 5.70(ACDZ.4.1)C0 and earlier | 5.70(ACDZ.4.3)C0* | |
| EX5601-T1 | 5.70(ACDZ.4.1)C0 and earlier | 5.70(ACDZ.4.3)C0* | |
| EX7501-B0 | 5.18(ACHN.2.1)C0 and earlier | 5.18(ACHN.2.2)C0* | |
| EX7710-B0 | 5.18(ACAK.1.4)C0 and earlier | 5.18(ACAK.1.5)C0* | |
| EMG3525-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* | |
| EMG5523-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* | |
| EMG5723-T50K | 5.50(ABOM.8.6)C0 and earlier | 5.50(ABOM.8.7)C0* | |
| GM4100-B0 | 5.18(ACCL.1)C0 and earlier | 5.18(ACCL.1.1)C0* | |
| VMG3625-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* | |
| VMG3927-T50K | 5.50(ABOM.8.6)C0 and earlier | 5.50(ABOM.8.7)C0* | |
| VMG4005-B50A | 5.17(ABQA.3)C0 and earlier | 5.17(ABQA.3.1)C0* | |
| VMG4005-B60A | 5.17(ABQA.3)C0 and earlier | 5.17(ABQA.3.1)C0* | |
| VMG4005-B50B | 5.13(ABRL.5.3)C0 and earlier | 5.13(ABRL.5.4)C0* | |
| VMG8623-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* | |
| VMG8825-T50K | 5.50(ABOM.8.6)C0 and earlier | 5.50(ABOM.8.7)C0* | |
| Fiber ONTs | AX7501-B0 | 5.17(ABPC.6.1)C0 and earlier | 5.17(ABPC.6.2)C0* |
| AX7501-B1 | 5.17(ABPC.6.1)C0 and earlier | 5.17(ABPC.6.2)C0* | |
| PE3301-00 | 5.63(ACMT.1.1)C0 and earlier | 5.63(ACMT.2)C0* | |
| PE5301-01 | 5.63(ACOJ.1.1)C0 and earlier | 5.63(ACOJ.2)C0* | |
| PM3100-T0 | 5.42(ACBF.3)C0 and earlier | 5.42(ACBF.4)C0* | |
| PM5100-T0 | 5.42(ACBF.3)C0 and earlier | 5.42(ACBF.4)C0* | |
| PM7500-00 | 5.61(ACKK.1)C0 and earlier | 5.61(ACKK.1.1)C0* | |
| PM7300-T0 | 5.42(ABYY.3)C0 and earlier | 5.42(ABYY.4)C0* | |
| PX3321-T1 | 5.44(ACJB.1.3)C0 and earlier 5.44(ACHK.1)C0 and earlier |
5.44(ACJB.1.4)C0* 5.44(ACHK.2)C0* |
|
| PX5301-T0 | 5.44(ACKB.0.4)C0 and earlier | 5.44(ACKB.0.5)C0* | |
| Wireless Extenders | WE3300-00 | 5.70(ACKA.0)C0 and earlier | 5.70(ACKA.1)C0* |
| WX3100-T0 | 5.50(ABVL.4.7)C0 and earlier | 5.50(ABVL.4.8)C0* | |
| WX3401-B0 | 5.17(ABVE.2.8)C0 and earlier | 5.17(ABVE.2.9)C0* | |
| WX3401-B1 | 5.17(ABVE.2.8)C0 and earlier | 5.17(ABVE.2.9)C0* | |
| WX5600-T0 | 5.70(ACEB.4.1)C0 and earlier | 5.70(ACEB.4.3)C0* | |
| WX5610-B0 | 5.18(ACGJ.0.3)C0 and earlier | 5.18(ACGJ.0.4)C0* |
* Please contact your Zyxel sales representative or support team to obtain the file.
For ISPs, please contact your Zyxel sales or service representatives for further details.
For end-users who acquired their Zyxel device from an ISP, we recommend reaching out directly to the ISP's support team, as the device may have custom-built settings.
For end-users who purchased their Zyxel device themselves, please contact your local Zyxel support team for the new firmware file to ensure optimal protection, or visit Zyxel's Community for further assistance.
Got a question?
Please contact your local service representatives or visit Zyxel's Community for further information or assistance.
Acknowledgment
Thanks to the following security researchers:
- Iván Domínguez from Zerolynx for CVE-2025-6599
- Joni Gadd for CVE-2025-8693
Revision history
2025-11-18: Initial release