Zyxel security advisory for command injection vulnerabilities in certain 5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders
CVEs: CVE-2026-0711, CVE-2026-1460
Summary
Zyxel has released patches for specific firmware versions of its 5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders. These updates address command injection vulnerabilities. Users are strongly advised to install the patches to ensure optimal protection.
What are the vulnerabilities?
CVE-2026-0711
A post-authentication command injection vulnerability in the EasyMesh-related APIs of certain 5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow an authenticated, adjacent attacker with administrator privileges to execute OS commands on an affected device. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.
CVE-2026-1460
A post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP configuration file in certain DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device. It is important to note that WAN access is disabled by default on these devices, and this attack can only succeed if user-configured passwords have been compromised.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the tables below. Please note that the tables do not include customized models specifically designed for ISP customers. Any on-market product not listed in the table is not affected.
| Models affected by CVE-2026-0711 | ||
|---|---|---|
| Affected model | Affected version | Patch availability* |
| 5G NR CPE | ||
| NR5307 | 2.00(ACJT.1)C0 and earlier | 2.00(ACJT.3)C0 |
| DSL/Ethernet CPE | ||
| DX3300-T0 | 5.50(ABVY.7.1)C0 and earlier | 5.50(ABVY.7.2)C0 |
| DX3300-T1 | 5.50(ABVY.7.1)C0 and earlier | 5.50(ABVY.7.2)C0 |
| DX3301-T0 | 5.50(ABVY.7.1)C0 and earlier | 5.50(ABVY.7.2)C0 |
| DX5401-B0 | 5.17(ABYO.7.1)C0 and earlier | 5.17(ABYO.7.2)C0 in May 2026 |
| DX5401-B1 | 5.17(ABYO.7.1)C0 and earlier | 5.17(ABYO.7.2)C0 in May 2026 |
| EE3301-00 | 5.63(ACMU.2.1)C0 and earlier | 5.63(ACMU.3.1)C0 in May 2026 |
| EE5301-00 | 5.63(ACLD.2.1)C0 and earlier | 5.63(ACLD.3.1)C0 in May 2026 |
| EE6510-10 | 5.19(ACJQ.4.1)C0 and earlier | 5.19(ACJQ.4.2)C0 |
| EMG3525-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 |
| EMG5523-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 |
| EX3300-T0 | 5.50(ABVY.7.1)C0 and earlier | 5.50(ABVY.7.2)C0 |
| EX3300-T1 | 5.50(ABVY.7.1)C0 and earlier | 5.50(ABVY.7.2)C0 |
| EX3301-T0 | 5.50(ABVY.7.1)C0 and earlier | 5.50(ABVY.7.2)C0 |
| EX3500-T0 | 5.44(ACHR.5.1)C0 and earlier | 5.44(ACHR.6)C0 in May 2026 |
| EX3501-T0 | 5.44(ACHR.5.1)C0 and earlier | 5.44(ACHR.6)C0 in May 2026 |
| EX3600-T0 | 5.70(ACIF.2.1)C0 and earlier | 5.70(ACIF.3)C0 in May 2026 |
| EX5401-B0 | 5.17(ABYO.7.1)C0 and earlier | 5.17(ABYO.7.2)C0 |
| EX5401-B1 | 5.17(ABYO.7.1)C0 and earlier | 5.17(ABYO.7.2)C0 |
| EX5512-T0 | 5.70(ACEG.5.4)C0 and earlier | 5.70(ACEG.5.5)C0 |
| EX5601-T0 | 5.70(ACDZ.5.1)C0 and earlier | 5.70(ACDZ.6)C0 in May 2026 |
| EX5601-T1 | 5.70(ACDZ.5.1)C0 and earlier | 5.70(ACDZ.6)C0 in May 2026 |
| EX7501-B0 | 5.18(ACHN.3.1)C0 and earlier | 5.18(ACHN.3.2)C0 |
| VMG3625-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 |
| VMG8623-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 |
| Fiber ONTs | ||
| AX7501-B0 | 5.17(ABPC.7.1)C0 and earlier | 5.17(ABPC.7.2)C0 |
| AX7501-B1 | 5.17(ABPC.7.1)C0 and earlier | 5.17(ABPC.7.2)C0 |
| PE3301-00 | 5.63(ACMT.2.1)C0 and earlier | 5.63(ACMT.3.1)C0 in May 2026 |
| PE5301-01 | 5.63(ACOJ.2.1)C0 and earlier | 5.63(ACOJ.3.1)C0 in May 2026 |
| PX5302-00 | 5.44(ACNM.0)C0 and earlier | 5.44(ACNM.0.1)C0 |
| PX5301-T0 | 5.44(ACKB.0.6)C0 and earlier | 5.44(ACKB.0.7)C0 |
| Wireless Extenders | ||
| WE3300-00 | 5.70(ACKA.1.1)C0 and earlier | 5.70(ACKA.2)C0 in May 2026 |
| WX3100-T0 | 5.50(ABVL.4.9)C0 and earlier | 5.50(ABVL.4.10)C0 |
| WE4600-00 | 6.70(ACKT.0)C0 and earlier | 6.70(ACKT.1)C0 in May 2026 |
| WX5600-T0 | 5.70(ACEB.5.1)C0 and earlier | 5.70(ACEB.6)C0 in May 2026 |
| Models affected by CVE-2026-1460 | ||
|---|---|---|
| Affected model | Affected version | Patch availability* |
| DSL/Ethernet CPE | ||
| DX3300-T0 | 5.50(ABVY.7.1)C0 and earlier | 5.50(ABVY.7.2)C0 |
| DX3300-T1 | 5.50(ABVY.7.1)C0 and earlier | 5.50(ABVY.7.2)C0 |
| DX3301-T0 | 5.50(ABVY.7.1)C0 and earlier | 5.50(ABVY.7.2)C0 |
| DX5401-B1 | 5.17(ABYO.7.1)C0 and earlier | 5.17(ABYO.7.2)C0 |
| EE3301-00 | 5.63(ACMU.2.1)C0 and earlier | 5.63(ACMU.3.1)C0 in May 2026 |
| EE5301-00 | 5.63(ACLD.2.1)C0 and earlier | 5.63(ACLD.3.1)C0 in May 2026 |
| EE6510-10 | 5.19(ACJQ.4.1)C0 and earlier | 5.19(ACJQ.4.2)C0 |
| EMG3525-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 |
| EMG5523-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 |
| EX2210-T0 | 5.50(ACDI.2.4)C0 and earlier | 5.50(ACDI.2.5)C0 |
| EX3300-T0 | 5.50(ABVY.7.1)C0 and earlier | 5.50(ABVY.7.2)C0 |
| EX3300-T1 | 5.50(ABVY.7.1)C0 and earlier | 5.50(ABVY.7.2)C0 |
| EX3301-T0 | 5.50(ABVY.7.1)C0 and earlier | 5.50(ABVY.7.2)C0 |
| EX3500-T0 | 5.44(ACHR.5.1)C0 and earlier | 5.44(ACHR.6)C0 in May 2026 |
| EX3501-T0 | 5.44(ACHR.5.1)C0 and earlier | 5.44(ACHR.6)C0 in May 2026 |
| EX3600-T0 | 5.70(ACIF.2.1)C0 and earlier | 5.70(ACIF.3)C0 in May 2026 |
| EX5401-B1 | 5.17(ABYO.7.1)C0 and earlier | 5.17(ABYO.7.2)C0 |
| EX5512-T0 | 5.70(ACEG.5.4)C0 and earlier | 5.70(ACEG.5.5)C0 |
| EX5601-T0 | 5.70(ACDZ.5.1)C0 and earlier | 5.70(ACDZ.6)C0 in May 2026 |
| EX5601-T1 | 5.70(ACDZ.5.1)C0 and earlier | 5.70(ACDZ.6)C0 in May 2026 |
| EX7501-B0 | 5.18(ACHN.3.1)C0 and earlier | 5.18(ACHN.3.2)C0 |
| EX7710-B0 | 5.18(ACAK.1.6)C0 and earlier | 5.18(ACAK.1.7)C0 |
| GM4100-B0 | 5.18(ACCL.2)C0 and earlier | 5.18(ACCL.2.1)C0 |
| VMG3625-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 |
| VMG4005-B50A | 5.17(ABQA.3.2)C0 and earlier | 5.17(ABQA.3.3)C0 |
| VMG4005-B60A | 5.17(ABQA.3.2)C0 and earlier | 5.17(ABQA.3.3)C0 |
| VMG8623-T50B | 5.50(ABPM.9.7)C0 and earlier | 5.50(ABPM.9.8)C0 |
| Fiber ONTs | ||
| AM7510-00 | 5.63(ACOR.0.1)C0 and earlier | 5.63(ACOR.0.2)C0 |
| AX7501-B1 | 5.17(ABPC.7.1)C0 and earlier | 5.17(ABPC.7.2)C0 |
| PE3301-00 | 5.63(ACMT.2.1)C0 and earlier | 5.63(ACMT.3.1)C0 in May 2026 |
| PE5301-01 | 5.63(ACOJ.2.1)C0 and earlier | 5.63(ACOJ.3.1)C0 in May 2026 |
| PX5301-T0 | 5.44(ACKB.0.6)C0 and earlier | 5.44(ACKB.0.7)C0 |
| PX5302-00 | 5.44(ACNM.0)C0 and earlier | 5.44(ACNM.0.1)C0 |
| Wireless Extenders | ||
| WE3300-00 | 5.70(ACKA.1.1)C0 and earlier | 5.70(ACKA.2)C0 in May 2026 |
| WE4600-00 | 6.70(ACKT.0)C0 and earlier | 6.70(ACKT.1)C0 in May 2026 |
| WX5600-T0 | 5.70(ACEB.5.1)C0 and earlier | 5.70(ACEB.6)C0 in May 2026 |
* Please contact your Zyxel sales representative or support team to obtain the file. Please note that the table does NOT include customized models specifically designed for ISP customers.
Got a question?
For our ISP customers, please contact your Zyxel sales or service representatives for more information. For customers who have acquired Zyxel devices through an ISP, please directly contact your ISP's support team, as the devices may have custom configurations.
Acknowledgment
Thanks to the following security researchers:
- Joni Gadd for CVE-2026-0711
- Watchful IP for CVE-2026-1460
Revision history
2026-04-28: Initial release