Zyxel security advisory for buffer overflow vulnerabilities in the UPnP function of certain 5G NR CPE and DSL/Ethernet CPE
CVEs: CVE-2026-3870, CVE-2026-3871
Summary
Zyxel has released patches for specific firmware versions of certain 5G NR CPE and DSL/Ethernet CPE devices to address buffer overflow vulnerabilities. Users are strongly advised to install these patches to ensure optimal protection.
What are the vulnerabilities?
CVE-2026-3870
A buffer overflow vulnerability in the UPnP AddPortMapping() command in certain DSL/Ethernet CPE firmware versions could allow an adjacent attacker to trigger a temporary denial-of-service (DoS) condition affecting the UPnP function of the affected device. It is important to note that this vulnerability can only be exploited within a LAN/WLAN environment, and the device will continue to function as expected when processing network traffic, even if the attack is successful.
CVE-2026-3871
A buffer overflow vulnerability in the UPnP DeletePortMapping() command in certain 5G NR CPE and DSL/Ethernet CPE firmware versions could allow an adjacent attacker to trigger a temporary DoS condition affecting the UPnP function of the affected device. It is important to note that this vulnerability can only be exploited within a LAN/WLAN environment, and the device will continue to function as expected when processing network traffic, even if the attack is successful.
What versions are vulnerable—and what should you do?
After a thorough investigation, we identified the vulnerable products within their vulnerability support period and released firmware patches to address these vulnerabilities, as shown in the tables below. Please note that the tables do not include customized models specifically designed for ISP customers. Any product currently on the market that is not listed in the tables is not affected.
| Models affected by CVE-2026-3870 | ||
|---|---|---|
| Affected model | Affected version | Patch availability* |
| DSL/Ethernet CPE | ||
| VMG4005-B50B | 5.13(ABRL.5.4)C0 and earlier | 5.13(ABRL.5.5)C0 |
| Models affected by CVE-2026-3871 | ||
|---|---|---|
| Affected model | Affected version | Patch availability* |
| 5G NR CPE | ||
| NR7101 | 1.00(ABUV.11)C0 and earlier | 1.00(ABUV.12)B4 |
| DSL/Ethernet CPE | ||
| VMG4005-B50B | 5.13(ABRL.5.4)C0 and earlier | 5.13(ABRL.5.5)C0 |
* Please contact your Zyxel sales representative or support team to obtain the file. Please note that the table does NOT include customized models specifically designed for ISP customers.
Got a question?
For our ISP customers, please contact your Zyxel sales or service representatives for more information. For customers who have acquired Zyxel devices through an ISP, please directly contact your ISP's support team, as the devices may have custom configurations.
Acknowledgment
Thanks to McCaulay Hudson from watchTowr for reporting the issues to us.
Revision history
2026-06-02: Initial release