Zyxel security advisory for null pointer dereference and command injection vulnerabilities in certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders
CVEs: CVE-2025-11845, CVE-2025-11846, CVE-2025-11847, CVE-2025-11848, CVE-2025-13942, CVE-2025-13943, CVE-2026-1459
Summary
Zyxel has released patches for specific firmware versions of its 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders. These updates address null pointer dereference and command injection vulnerabilities. Users are strongly advised to install the patches to maintain optimal protection.
What are the vulnerabilities?
CVE-2025-11845
A null pointer dereference vulnerability in the certificate downloader CGI program of certain 4G LTE CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.
CVE-2025-11846
A null pointer dereference vulnerability in the account settings CGI program of certain 4G LTE CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow an authenticated attacker with administrator privileges to trigger a DoS condition by sending a crafted HTTP request. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.
CVE-2025-11847
A null pointer dereference vulnerability in the IP settings CGI program of certain 4G LTE CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow an authenticated attacker with administrator privileges to trigger a DoS condition by sending a crafted HTTP request. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.
CVE-2025-11848
A null pointer dereference vulnerability in the Wake-on-LAN CGI program of certain DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow an authenticated attacker with administrator privileges to trigger a DoS condition by sending a crafted HTTP request. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.
CVE-2025-13942
A command injection vulnerability in the UPnP function of certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests. It is important to note that WAN access is disabled by default on these devices, and the attack can be carried out remotely only if both WAN access and the vulnerable UPnP function have been enabled.
CVE-2025-13943
A post-authentication command injection vulnerability in the log file download function of certain DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow an authenticated attacker to execute OS commands on an affected device. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.
CVE-2026-1459
A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of certain DSL/Ethernet CPE firmware versions could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address these vulnerabilities, as shown in the tables below. Please note that the tables do not include customized models specifically designed for ISP customers. Any on-market product not listed in the table is not affected.
| Models affected by CVE-2025-11845 | ||
|---|---|---|
| Affected model | Affected version | Patch availability* |
| 4G LTE CPE | ||
| LTE3301-PLUS | 1.00(ABQU.8)C0 and earlier | 1.00(ABQU.9)C0 |
| DSL/Ethernet CPE | ||
| DX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX4510-B0 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 |
| DX4510-B1 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 |
| DX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 |
| EE3301-00 | 5.63(ACMU.2)C0 and earlier | 5.63(ACMU.2.1)C0 |
| EE5301-00 | 5.63(ACLD.2)C0 and earlier | 5.63(ACLD.2.1)C0 |
| EE6510-10 | 5.19(ACJQ.4)C0 and earlier | 5.19(ACJQ.4.1)C0 |
| EMG3525-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| EMG5523-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| EX2210-T0 | 5.50(ACDI.2.2)C0 and earlier | 5.50(ACDI.2.3)C0 |
| EX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| EX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| EX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| EX3500-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 |
| EX3501-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 |
| EX3510-B0 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 |
| EX3510-B1 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 |
| EX3600-T0 | 5.70(ACIF.2)C0 and earlier | 5.70(ACIF.2.1)C0 |
| EX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 |
| EX5510-B0 | 5.17(ABQX.11)C0 and earlier | 5.17(ABQX.11.1)C0 |
| EX5512-T0 | 5.70(ACEG.5.2)C0 and earlier | 5.70(ACEG.5.3)C0 |
| EX5601-T0 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 |
| EX5601-T1 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 |
| EX7501-B0 | 5.18(ACHN.3)C0 and earlier | 5.18(ACHN.3.1)C0 |
| EX7710-B0 | 5.18(ACAK.1.5)C0 and earlier | 5.18(ACAK.1.6)C0 |
| GM4100-B0 | 5.18(ACCL.1.1)C0 and earlier | 5.18(ACCL.2)C0 |
| VMG3625-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| VMG4005-B50A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 |
| VMG4005-B60A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 |
| VMG8623-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| Fiber ONTs | ||
| AX7501-B1 | 5.17(ABPC.7)C0 and earlier | 5.17(ABPC.7.1)C0 |
| PE3301-00 | 5.63(ACMT.2)C0 and earlier | 5.63(ACMT.2.1)C0 |
| PE5301-01 | 5.63(ACOJ.2)C0 and earlier | 5.63(ACOJ.2.1)C0 |
| PM3100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 |
| PM5100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 |
| PM5100-T1 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 |
| PM7300-T0 | 5.42(ABYY.4)C0 and earlier | 5.42(ABYY.4.1)C0 |
| PM7500-00 | 5.61(ACKK.1.1)C0 and earlier | 5.61(ACKK.1.2)C0 |
| PX3321-T1 | 5.44(ACJB.1.4)C0 and earlier | 5.44(ACJB.1.5)C0 |
| 5.44(ACHK.2)C0 and earlier | 5.44(ACHK.3)C0 | |
| PX5301-T0 | 5.44(ACKB.0.5)C0 and earlier | 5.44(ACKB.0.6)C0 |
| Wireless Extenders | ||
| WE3300-00 | 5.70(ACKA.1)C0 and earlier | 5.70(ACKA.1.1)C0 |
| WX3100-T0 | 5.50(ABVL.4.8)C0 and earlier | 5.50(ABVL.4.9)C0 |
| WX3401-B1 | 5.17(ABVE.2.9)C0 and earlier | 5.17(ABVE.2.10)C0 |
| WX5600-T0 | 5.70(ACEB.5)C0 and earlier | 5.70(ACEB.5.1)C0 |
| WX5610-B0 | 5.18(ACGJ.0.4)C0 and earlier | 5.18(ACGJ.0.5)C0 |
| Models affected by CVE-2025-11846 | ||
|---|---|---|
| Affected model | Affected version | Patch availability* |
| 4G LTE CPE | ||
| LTE3301-PLUS | 1.00(ABQU.8)C0 and earlier | 1.00(ABQU.9)C0 |
| DSL/Ethernet CPE | ||
| DX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX4510-B0 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 |
| DX4510-B1 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 |
| DX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 |
| EE3301-00 | 5.63(ACMU.2)C0 and earlier | 5.63(ACMU.2.1)C0 |
| EE5301-00 | 5.63(ACLD.2)C0 and earlier | 5.63(ACLD.2.1)C0 |
| EE6510-10 | 5.19(ACJQ.4)C0 and earlier | 5.19(ACJQ.4.1)C0 |
| EMG3525-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| EMG5523-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| EX2210-T0 | 5.50(ACDI.2.2)C0 and earlier | 5.50(ACDI.2.3)C0 |
| EX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| EX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| EX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| EX3500-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 |
| EX3501-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 |
| EX3510-B0 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 |
| EX3510-B1 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 |
| EX3600-T0 | 5.70(ACIF.2)C0 and earlier | 5.70(ACIF.2.1)C0 |
| EX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 |
| EX5510-B0 | 5.17(ABQX.11)C0 and earlier | 5.17(ABQX.11.1)C0 |
| EX5512-T0 | 5.70(ACEG.5.2)C0 and earlier | 5.70(ACEG.5.3)C0 |
| EX5601-T0 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 |
| EX5601-T1 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 |
| EX7501-B0 | 5.18(ACHN.3)C0 and earlier | 5.18(ACHN.3.1)C0 |
| EX7710-B0 | 5.18(ACAK.1.5)C0 and earlier | 5.18(ACAK.1.6)C0 |
| GM4100-B0 | 5.18(ACCL.1.1)C0 and earlier | 5.18(ACCL.2)C0 |
| VMG3625-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| VMG4005-B50A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 |
| VMG4005-B60A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 |
| VMG8623-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| Fiber ONTs | ||
| AX7501-B1 | 5.17(ABPC.7)C0 and earlier | 5.17(ABPC.7.1)C0 |
| PE3301-00 | 5.63(ACMT.2)C0 and earlier | 5.63(ACMT.2.1)C0 |
| PE5301-01 | 5.63(ACOJ.2)C0 and earlier | 5.63(ACOJ.2.1)C0 |
| PM3100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 |
| PM5100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 |
| PM5100-T1 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 |
| PM7300-T0 | 5.42(ABYY.4)C0 and earlier | 5.42(ABYY.4.1)C0 |
| PM7500-00 | 5.61(ACKK.1.1)C0 and earlier | 5.61(ACKK.1.2)C0 |
| PX3321-T1 | 5.44(ACJB.1.4)C0 and earlier | 5.44(ACJB.1.5)C0 |
| 5.44(ACHK.2)C0 and earlier | 5.44(ACHK.3)C0 | |
| PX5301-T0 | 5.44(ACKB.0.5)C0 and earlier | 5.44(ACKB.0.6)C0 |
| Wireless Extenders | ||
| WE3300-00 | 5.70(ACKA.1)C0 and earlier | 5.70(ACKA.1.1)C0 |
| WX3100-T0 | 5.50(ABVL.4.8)C0 and earlier | 5.50(ABVL.4.9)C0 |
| WX3401-B1 | 5.17(ABVE.2.9)C0 and earlier | 5.17(ABVE.2.10)C0 |
| WX5600-T0 | 5.70(ACEB.5)C0 and earlier | 5.70(ACEB.5.1)C0 |
| WX5610-B0 | 5.18(ACGJ.0.4)C0 and earlier | 5.18(ACGJ.0.5)C0 |
| Models affected by CVE-2025-11847 | ||
|---|---|---|
| Affected model | Affected version | Patch availability* |
| 4G LTE CPE | ||
| LTE3301-PLUS | 1.00(ABQU.8)C0 and earlier | 1.00(ABQU.9)C0 |
| DSL/Ethernet CPE | ||
| DX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX4510-B0 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 |
| DX4510-B1 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 |
| DX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 |
| EE3301-00 | 5.63(ACMU.2)C0 and earlier | 5.63(ACMU.2.1)C0 |
| EE5301-00 | 5.63(ACLD.2)C0 and earlier | 5.63(ACLD.2.1)C0 |
| EE6510-10 | 5.19(ACJQ.4)C0 and earlier | 5.19(ACJQ.4.1)C0 |
| EMG3525-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| EMG5523-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| EX2210-T0 | 5.50(ACDI.2.2)C0 and earlier | 5.50(ACDI.2.3)C0 |
| EX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| EX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| EX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| EX3500-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 |
| EX3501-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 |
| EX3510-B0 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 |
| EX3510-B1 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 |
| EX3600-T0 | 5.70(ACIF.2)C0 and earlier | 5.70(ACIF.2.1)C0 |
| EX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 |
| EX5510-B0 | 5.17(ABQX.11)C0 and earlier | 5.17(ABQX.11.1)C0 |
| EX5512-T0 | 5.70(ACEG.5.2)C0 and earlier | 5.70(ACEG.5.3)C0 |
| EX5601-T0 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 |
| EX5601-T1 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 |
| EX7501-B0 | 5.18(ACHN.3)C0 and earlier | 5.18(ACHN.3.1)C0 |
| EX7710-B0 | 5.18(ACAK.1.5)C0 and earlier | 5.18(ACAK.1.6)C0 |
| GM4100-B0 | 5.18(ACCL.1.1)C0 and earlier | 5.18(ACCL.2)C0 |
| VMG3625-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| VMG4005-B50A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 |
| VMG4005-B60A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 |
| VMG8623-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| Fiber ONTs | ||
| AX7501-B1 | 5.17(ABPC.7)C0 and earlier | 5.17(ABPC.7.1)C0 |
| PE3301-00 | 5.63(ACMT.2)C0 and earlier | 5.63(ACMT.2.1)C0 |
| PE5301-01 | 5.63(ACOJ.2)C0 and earlier | 5.63(ACOJ.2.1)C0 |
| PM3100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 |
| PM5100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 |
| PM5100-T1 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 |
| PM7300-T0 | 5.42(ABYY.4)C0 and earlier | 5.42(ABYY.4.1)C0 |
| PM7500-00 | 5.61(ACKK.1.1)C0 and earlier | 5.61(ACKK.1.2)C0 |
| PX3321-T1 | 5.44(ACJB.1.4)C0 and earlier | 5.44(ACJB.1.5)C0 |
| 5.44(ACHK.2)C0 and earlier | 5.44(ACHK.3)C0 | |
| PX5301-T0 | 5.44(ACKB.0.5)C0 and earlier | 5.44(ACKB.0.6)C0 |
| Wireless Extenders | ||
| WE3300-00 | 5.70(ACKA.1)C0 and earlier | 5.70(ACKA.1.1)C0 |
| WX3100-T0 | 5.50(ABVL.4.8)C0 and earlier | 5.50(ABVL.4.9)C0 |
| WX3401-B1 | 5.17(ABVE.2.9)C0 and earlier | 5.17(ABVE.2.10)C0 |
| WX5600-T0 | 5.70(ACEB.5)C0 and earlier | 5.70(ACEB.5.1)C0 |
| WX5610-B0 | 5.18(ACGJ.0.4)C0 and earlier | 5.18(ACGJ.0.5)C0 |
| Models affected by CVE-2025-11848 | ||
|---|---|---|
| Affected model | Affected version | Patch availability* |
| DSL/Ethernet CPE | ||
| DX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX4510-B0 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 |
| DX4510-B1 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 |
| DX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 |
| EE3301-00 | 5.63(ACMU.2)C0 and earlier | 5.63(ACMU.2.1)C0 |
| EE5301-00 | 5.63(ACLD.2)C0 and earlier | 5.63(ACLD.2.1)C0 |
| EE6510-10 | 5.19(ACJQ.4)C0 and earlier | 5.19(ACJQ.4.1)C0 |
| EMG3525-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| EMG5523-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| EX2210-T0 | 5.50(ACDI.2.2)C0 and earlier | 5.50(ACDI.2.3)C0 |
| EX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| EX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| EX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| EX3500-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 |
| EX3501-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 |
| EX3510-B0 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 |
| EX3510-B1 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 |
| EX3600-T0 | 5.70(ACIF.2)C0 and earlier | 5.70(ACIF.2.1)C0 |
| EX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 |
| EX5510-B0 | 5.17(ABQX.11)C0 and earlier | 5.17(ABQX.11.1)C0 |
| EX5512-T0 | 5.70(ACEG.5.2)C0 and earlier | 5.70(ACEG.5.3)C0 |
| EX5601-T0 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 |
| EX5601-T1 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 |
| EX7501-B0 | 5.18(ACHN.3)C0 and earlier | 5.18(ACHN.3.1)C0 |
| EX7710-B0 | 5.18(ACAK.1.5)C0 and earlier | 5.18(ACAK.1.6)C0 |
| GM4100-B0 | 5.18(ACCL.1.1)C0 and earlier | 5.18(ACCL.2)C0 |
| VMG3625-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| VMG4005-B50A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 |
| VMG4005-B60A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 |
| VMG8623-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| Fiber ONTs | ||
| AX7501-B1 | 5.17(ABPC.7)C0 and earlier | 5.17(ABPC.7.1)C0 |
| PE3301-00 | 5.63(ACMT.2)C0 and earlier | 5.63(ACMT.2.1)C0 |
| PE5301-01 | 5.63(ACOJ.2)C0 and earlier | 5.63(ACOJ.2.1)C0 |
| PM3100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 |
| PM5100-T0 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 |
| PM5100-T1 | 5.42(ACBF.4)C0 and earlier | 5.42(ACBF.4.1)C0 |
| PM7300-T0 | 5.42(ABYY.4)C0 and earlier | 5.42(ABYY.4.1)C0 |
| PM7500-00 | 5.61(ACKK.1.1)C0 and earlier | 5.61(ACKK.1.2)C0 |
| PX3321-T1 | 5.44(ACJB.1.4)C0 and earlier | 5.44(ACJB.1.5)C0 |
| 5.44(ACHK.2)C0 and earlier | 5.44(ACHK.3)C0 | |
| PX5301-T0 | 5.44(ACKB.0.5)C0 and earlier | 5.44(ACKB.0.6)C0 |
| Wireless Extenders | ||
| WE3300-00 | 5.70(ACKA.1)C0 and earlier | 5.70(ACKA.1.1)C0 |
| WX3100-T0 | 5.50(ABVL.4.8)C0 and earlier | 5.50(ABVL.4.9)C0 |
| WX3401-B1 | 5.17(ABVE.2.9)C0 and earlier | 5.17(ABVE.2.10)C0 |
| WX5600-T0 | 5.70(ACEB.5)C0 and earlier | 5.70(ACEB.5.1)C0 |
| WX5610-B0 | 5.18(ACGJ.0.4)C0 and earlier | 5.18(ACGJ.0.5)C0 |
| Models affected by CVE-2025-13942 | ||
|---|---|---|
| Affected model | Affected version | Patch availability* |
| 4G LTE/5G NR CPE | ||
| LTE3301-PLUS | 1.00(ABQU.8)C0 and earlier | 1.00(ABQU.9)C0 |
| NR7101 | 1.00(ABUV.11)C0 and earlier | 1.00(ABUV.12)B2 |
| DSL/Ethernet CPE | ||
| DX4510-B0 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 |
| DX4510-B1 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 |
| EE6510-10 | 5.19(ACJQ.4)C0 and earlier | 5.19(ACJQ.4.1)C0 |
| EMG6726-B10A | 5.13(ABNP.8.1)C1 and earlier | 5.13(ABNP.8.2)C1 |
| EX2210-T0 | 5.50(ACDI.2.3)C0 and earlier | 5.50(ACDI.2.4)C0 |
| EX3510-B0 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 |
| EX3510-B1 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 |
| EX5510-B0 | 5.17(ABQX.11)C0 and earlier | 5.17(ABQX.11.1)C0 |
| EX5512-T0 | 5.70(ACEG.5.3)C0 and earlier | 5.70(ACEG.5.4)C0 |
| EX7710-B0 | 5.18(ACAK.1.5)C0 and earlier | 5.18(ACAK.1.6)C0 |
| VMG4927-B50A | 5.13(ABLY.10.1)C0 and earlier | 5.13(ABLY.10.2)C0 |
| Fiber ONTs | ||
| PX3321-T1 | 5.44(ACJB.1.4)C0 and earlier | 5.44(ACJB.1.5)C0 |
| 5.44(ACHK.2)C0 and earlier | 5.44(ACHK.3)C0 | |
| PX5301-T0 | 5.44(ACKB.0.5)C0 and earlier | 5.44(ACKB.0.6)C0 |
| Wireless Extenders | ||
| WX5610-B0 | 5.18(ACGJ.0.4)C0 and earlier | 5.18(ACGJ.0.5)C0 |
| Models affected by CVE-2025-13943 | ||
|---|---|---|
| Affected model | Affected version | Patch availability* |
| DSL/Ethernet CPE | ||
| DM4200-B0 | 5.17(ACBS.1.5)C0 and earlier | 5.17(ACBS.1.6)C0 |
| DX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| DX4510-B0 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 |
| DX4510-B1 | 5.17(ABYL.10)C0 and earlier | 5.17(ABYL.10.1)C0 |
| DX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 |
| EE3301-00 | 5.63(ACMU.2)C0 and earlier | 5.63(ACMU.2.1)C0 |
| EE5301-00 | 5.63(ACLD.2)C0 and earlier | 5.63(ACLD.2.1)C0 |
| EE6510-10 | 5.19(ACJQ.4)C0 and earlier | 5.19(ACJQ.4.1)C0 |
| EMG3525-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| EMG5523-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| EMG6726-B10A | 5.13(ABNP.8.1)C1 and earlier | 5.13(ABNP.8.2)C1 |
| EX2210-T0 | 5.50(ACDI.2.3)C0 and earlier | 5.50(ACDI.2.4)C0 |
| EX3300-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| EX3300-T1 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| EX3301-T0 | 5.50(ABVY.7)C0 and earlier | 5.50(ABVY.7.1)C0 |
| EX3500-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 |
| EX3501-T0 | 5.44(ACHR.5)C0 and earlier | 5.44(ACHR.5.1)C0 |
| EX3510-B0 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 |
| EX3510-B1 | 5.17(ABUP.15.1)C0 and earlier | 5.17(ABUP.15.2)C0 |
| EX3600-T0 | 5.70(ACIF.2)C0 and earlier | 5.70(ACIF.2.1)C0 |
| EX5401-B1 | 5.17(ABYO.7)C0 and earlier | 5.17(ABYO.7.1)C0 |
| EX5510-B0 | 5.17(ABQX.11)C0 and earlier | 5.17(ABQX.11.1)C0 |
| EX5512-T0 | 5.70(ACEG.5.3)C0 and earlier | 5.70(ACEG.5.4)C0 |
| EX5601-T0 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 |
| EX5601-T1 | 5.70(ACDZ.5)C0 and earlier | 5.70(ACDZ.5.1)C0 |
| EX7501-B0 | 5.18(ACHN.3)C0 and earlier | 5.18(ACHN.3.1)C0 |
| EX7710-B0 | 5.18(ACAK.1.5)C0 and earlier | 5.18(ACAK.1.6)C0 |
| GM4100-B0 | 5.18(ACCL.1.1)C0 and earlier | 5.18(ACCL.2)C0 |
| VMG3625-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| VMG4005-B50A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 |
| VMG4005-B60A | 5.17(ABQA.3.1)C0 and earlier | 5.17(ABQA.3.2)C0 |
| VMG4927-B50A | 5.13(ABLY.10.1)C0 and earlier | 5.13(ABLY.10.2)C0 |
| VMG8623-T50B | 5.50(ABPM.9.6)C0 and earlier | 5.50(ABPM.9.7)C0 |
| Fiber ONTs | ||
| AM7510-00 | 5.63(ACOR.0)C0 and earlier | 5.63(ACOR.0.1)C0 |
| AX7501-B1 | 5.17(ABPC.7)C0 and earlier | 5.17(ABPC.7.1)C0 |
| PE3301-00 | 5.63(ACMT.2)C0 and earlier | 5.63(ACMT.2.1)C0 |
| PE5301-01 | 5.63(ACOJ.2)C0 and earlier | 5.63(ACOJ.2.1)C0 |
| PM3100-T0 | 5.42(ACBF.4.1)C0 and earlier | 5.42(ACBF.4.2)C0 |
| PM5100-T0 | 5.42(ACBF.4.1)C0 and earlier | 5.42(ACBF.4.2)C0 |
| PM5100-T1 | 5.42(ACBF.4.1)C0 and earlier | 5.42(ACBF.4.2)C0 |
| PM7300-T0 | 5.42(ABYY.4)C0 and earlier | 5.42(ABYY.4.1)C0 |
| PM7500-00 | 5.61(ACKK.1.1)C0 and earlier | 5.61(ACKK.1.2)C0 |
| PX3321-T1 | 5.44(ACJB.1.4)C0 and earlier | 5.44(ACJB.1.5)C0 |
| 5.44(ACHK.2)C0 and earlier | 5.44(ACHK.3)C0 | |
| PX5301-T0 | 5.44(ACKB.0.5)C0 and earlier | 5.44(ACKB.0.6)C0 |
| Wireless Extenders | ||
| WE3300-00 | 5.70(ACKA.1)C0 and earlier | 5.70(ACKA.1.1)C0 |
| WE4600-00 | 6.70(ACKT.0)B8 and earlier | 6.70(ACKT.0)C0 |
| WX3100-T0 | 5.50(ABVL.4.8)C0 and earlier | 5.50(ABVL.4.9)C0 |
| WX3401-B1 | 5.17(ABVE.2.9)C0 and earlier | 5.17(ABVE.2.10)C0 |
| WX5600-T0 | 5.70(ACEB.5)C0 and earlier | 5.70(ACEB.5.1)C0 |
| WX5610-B0 | 5.18(ACGJ.0.4)C0 and earlier | 5.18(ACGJ.0.5)C0 |
| Models affected by CVE-2026-1459 | ||
|---|---|---|
| Affected model | Affected version | Patch availability* |
| DSL/Ethernet CPE | ||
| DX5401-B1 | 5.17(ABYO.7.1)C0 and earlier | 5.17(ABYO.7.2)C0 in Mar. 2026 |
| EMG3525-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 in Mar. 2026 |
| EMG5523-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 in Mar. 2026 |
| VMG3625-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 in Mar. 2026 |
| VMG3625-T50C | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 in Mar. 2026 |
| VMG8623-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 in Mar. 2026 |
* Please contact your Zyxel sales representative or support team to obtain the file.
Got a question?
For our ISP customers, please contact your Zyxel sales or service representatives for more information. For customers who have acquired Zyxel devices through an ISP, please directly contact your ISP's support team, as the devices may have custom configurations.
Acknowledgment
Thanks to the following security researchers:
- Tiantai Zhang from Purdue University for CVE-2025-11845, CVE-2025-11846, CVE-2025-11847, and CVE-2025-11848
- Víctor Fresco (@hacefresko) for CVE-2025-13942 and CVE-2025-13943
- Watchful IP for CVE-2026-1459
Revision history
2026-02-24: Initial release