Zyxel security advisory for uncontrolled resource consumption and command injection vulnerabilities in certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders
CVEs: CVE-2025-6599, CVE-2025-8693
Summary
Zyxel has released patches for certain firmware versions of its 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders. These updates address an uncontrolled resource consumption vulnerability and a post-authentication command injection vulnerability. Users are strongly advised to install the patches to ensure optimal protection.
What are the vulnerabilities?
CVE-2025-6599
The uncontrolled resource consumption vulnerability in the web server of certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow an attacker to perform Slowloris‑style denial‑of‑service (DoS) attacks. Such attacks may temporarily block legitimate HTTP requests and partially disrupt access to the web management interface, while other networking services remain unaffected.
CVE-2025-8693
The post-authentication command injection vulnerability in the "priv" parameter of the CGI program in certain DSL/Ethernet CPE, Fiber ONTs, and Wireless Extenders firmware versions could allow an authenticated attacker to execute operating system (OS) commands on an affected device. It is important to note that WAN access is disabled by default on these devices, and the attack can only succeed if the strong, unique user passwords have been compromised.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products within their vulnerability support period and have released firmware patches to address these vulnerabilities, as shown in the tables below. Please note that the tables do not include customized models specifically designed for ISP customers. Any on-market product not listed in the table is not affected.
| Models affected by CVE-2025-6599 | ||
|---|---|---|
| Affected model | Affected version | Patch availability |
| 4G LTE/5G NR CPE | ||
| LTE3301-PLUS | 1.00(ABQU.7)C0 and earlier | 1.00(ABQU.8)C0* |
| NR5103 | 4.19(ABYC.8)C0 and earlier | 4.19(ABYC.9)C0* |
| NR5103E | 1.00(ACDJ.1)C0 and earlier | 1.00(ACDJ.2)C0* |
| NR5309 | 1.00(ACKP.1)b3 and earlier | 1.00(ACKP.1)C0* |
| NR7302 | 5.00(ACHA.5)C0 and earlier | 1.00(ACHA.6)C0* |
| NR7303 | 1.00(ACEI.1)C0 and earlier | 1.00(ACEI.2)C0* |
| DSL/Ethernet CPE | ||
| DM4200-B0 | 5.17(ACBS.1.3)C0 and earlier | 5.17(ACBS.1.4)C0* |
| DX3300-T0 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* |
| DX3300-T1 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* |
| DX3301-T0 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* |
| DX4510-B1 | 5.17(ABYL.9)C0 and earlier | 5.17(ABYL.9.1)C0* |
| DX5401-B0 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* |
| DX5401-B1 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* |
| EE3301-00 | 5.63(ACMU.1.1)C0 and earlier | 5.63(ACMU.2)C0* |
| EE5301-00 | 5.63(ACLD.1.1)C0 and earlier | 5.63(ACLD.2)C0* |
| EE6510-10 | 5.19(ACJQ.3)C0 and earlier | 5.19(ACJQ.4)C0* |
| EX3300-T0 | 5.50(ABVY.6.3)C0 and earlier 5.50(ACDI.2.1)C0 and earlier | 5.50(ABVY.6.4)C0* 5.50(ACDI.2.2)C0* |
| EX3300-T1 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* |
| EX3301-T0 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* |
| EX3500-T0 | 5.44(ACHR.4)C0 and earlier | 5.44 (ACHR.4.1)C0* |
| EX3501-T0 | 5.44(ACHR.4)C0 and earlier | 5.44 (ACHR.4.1)C0* |
| EX3600-T0 | 5.70(ACIF.1.2)C0 and earlier | 5.70(ACIF.1.3)C0* |
| EX5401-B0 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* |
| EX5401-B1 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* |
| EX5501-B0 | 5.17(ABRY.5.5)C0 and earlier | 5.17(ABRY.5.6)C0* |
| EX5510-B0 | 5.17(ABQX.10)C0 and earlier | 5.17(ABQX.11)C0* |
| EX5512-T0 | 5.70(ACEG.5)C0 and earlier | 5.70(ACEG.5.1)C0* |
| EX5601-T0 | 5.70(ACDZ.4.1)C0 and earlier | 5.70(ACDZ.4.3)C0* |
| EX5601-T1 | 5.70(ACDZ.4.1)C0 and earlier | 5.70(ACDZ.4.3)C0* |
| EX7501-B0 | 5.18(ACHN.2.1)C0 and earlier | 5.18(ACHN.2.2)C0* |
| EX7710-B0 | 5.18(ACAK.1.4)C0 and earlier | 5.18(ACAK.1.5)C0* |
| EMG3525-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* |
| EMG5523-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* |
| EMG5723-T50K | 5.50(ABOM.8.6)C0 and earlier | 5.50(ABOM.8.7)C0* |
| EMG6726-B10A | 5.13(ABNP.8)C0 and earlier | 5.13(ABNP.8.1)C0* |
| GM4100-B0 | 5.18(ACCL.1)C0 and earlier | 5.18(ACCL.1.1)C0* |
| VMG3625-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* |
| VMG3927-B50B | 5.13(ABLY.10)C0 and earlier | 5.13(ABLY.10.1)C0* |
| VMG3927-T50K | 5.50(ABOM.8.6)C0 and earlier | 5.50(ABOM.8.7)C0* |
| VMG4005-B50A | 5.17(ABQA.3)C0 and earlier | 5.17(ABQA.3.1)C0* |
| VMG4005-B60A | 5.17(ABQA.3)C0 and earlier | 5.17(ABQA.3.1)C0* |
| VMG4005-B50B | 5.13(ABRL.5.3)C0 and earlier | 5.13(ABRL.5.4)C0* |
| VMG4927-B50A | 5.13(ABLY.10)C0 and earlier | 5.13(ABLY.10.1)C0* |
| VMG8623-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* |
| VMG8825-T50K | 5.50(ABOM.8.6)C0 and earlier | 5.50(ABOM.8.7)C0* |
| Fiber ONTs | ||
| AX7501-B0 | 5.17(ABPC.6.1)C0 and earlier | 5.17(ABPC.6.2)C0* |
| AX7501-B1 | 5.17(ABPC.6.1)C0 and earlier | 5.17(ABPC.6.2)C0* |
| PE3301-00 | 5.63(ACMT.1.1)C0 and earlier | 5.63(ACMT.2)C0* |
| PE5301-01 | 5.63(ACOJ.1.1)C0 and earlier | 5.63(ACOJ.2)C0* |
| PM3100-T0 | 5.42(ACBF.3)C0 and earlier | 5.42(ACBF.4)C0* |
| PM5100-T0 | 5.42(ACBF.3)C0 and earlier | 5.42(ACBF.4)C0* |
| PM7500-00 | 5.61(ACKK.1)C0 and earlier | 5.61(ACKK.1.1)C0* |
| PM7300-T0 | 5.42(ABYY.3)C0 and earlier | 5.42(ABYY.4)C0* |
| PX3321-T1 | 5.44(ACJB.1.3)C0 and earlier 5.44(ACHK.1)C0 and earlier | 5.44(ACJB.1.4)C0* 5.44(ACHK.2)C0* |
| PX5301-T0 | 5.44(ACKB.0.4)C0 and earlier | 5.44(ACKB.0.5)C0* |
| Wireless Extenders | ||
| WE3300-00 | 5.70(ACKA.0)C0 and earlier | 5.70(ACKA.1)C0* |
| WX3100-T0 | 5.50(ABVL.4.7)C0 and earlier | 5.50(ABVL.4.8)C0* |
| WX3401-B0 | 5.17(ABVE.2.8)C0 and earlier | 5.17(ABVE.2.9)C0* |
| WX3401-B1 | 5.17(ABVE.2.8)C0 and earlier | 5.17(ABVE.2.9)C0* |
| WX5600-T0 | 5.70(ACEB.4.1)C0 and earlier | 5.70(ACEB.4.3)C0* |
| WX5610-B0 | 5.18(ACGJ.0.3)C0 and earlier | 5.18(ACGJ.0.4)C0* |
| Models affected by CVE-2025-8693 | ||
|---|---|---|
| Affected model | Affected version | Patch availability |
| DSL/Ethernet CPE | ||
| DM4200-B0 | 5.17(ACBS.1.3)C0 and earlier | 5.17(ACBS.1.4)C0* |
| DX3300-T0 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* |
| DX3300-T1 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* |
| DX3301-T0 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* |
| DX4510-B1 | 5.17(ABYL.9)C0 and earlier | 5.17(ABYL.9.1)C0* |
| DX5401-B0 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* |
| DX5401-B1 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* |
| EE3301-00 | 5.63(ACMU.1.1)C0 and earlier | 5.63(ACMU.2)C0* |
| EE5301-00 | 5.63(ACLD.1.1)C0 and earlier | 5.63(ACLD.2)C0* |
| EE6510-10 | 5.19(ACJQ.3)C0 and earlier | 5.19(ACJQ.4)C0* |
| EX3300-T0 | 5.50(ABVY.6.3)C0 and earlier 5.50(ACDI.2.1)C0 and earlier | 5.50(ABVY.6.4)C0* 5.50(ACDI.2.2)C0* |
| EX3300-T1 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* |
| EX3301-T0 | 5.50(ABVY.6.3)C0 and earlier | 5.50(ABVY.6.4)C0* |
| EX3500-T0 | 5.44(ACHR.4)C0 and earlier | 5.44 (ACHR.4.1)C0* |
| EX3501-T0 | 5.44(ACHR.4)C0 and earlier | 5.44 (ACHR.4.1)C0* |
| EX3510-B0 | 5.17(ABUP.15)C0 and earlier | 5.17(ABUP.15.1)C0* |
| EX3510-B1 | 5.17(ABUP.15)C0 and earlier | 5.17(ABUP.15.1)C0* |
| EX3600-T0 | 5.70(ACIF.1.2)C0 and earlier | 5.70(ACIF.1.3)C0* |
| EX5401-B0 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* |
| EX5401-B1 | 5.17(ABYO.7)b2 and earlier | 5.17(ABYO.7)C0* |
| EX5501-B0 | 5.17(ABRY.5.5)C0 and earlier | 5.17(ABRY.5.6)C0* |
| EX5510-B0 | 5.17(ABQX.10)C0 and earlier | 5.17(ABQX.11)C0* |
| EX5512-T0 | 5.70(ACEG.5)C0 and earlier | 5.70(ACEG.5.1)C0* |
| EX5601-T0 | 5.70(ACDZ.4.1)C0 and earlier | 5.70(ACDZ.4.3)C0* |
| EX5601-T1 | 5.70(ACDZ.4.1)C0 and earlier | 5.70(ACDZ.4.3)C0* |
| EX7501-B0 | 5.18(ACHN.2.1)C0 and earlier | 5.18(ACHN.2.2)C0* |
| EX7710-B0 | 5.18(ACAK.1.4)C0 and earlier | 5.18(ACAK.1.5)C0* |
| EMG3525-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* |
| EMG5523-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* |
| EMG5723-T50K | 5.50(ABOM.8.6)C0 and earlier | 5.50(ABOM.8.7)C0* |
| GM4100-B0 | 5.18(ACCL.1)C0 and earlier | 5.18(ACCL.1.1)C0* |
| VMG3625-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* |
| VMG3927-T50K | 5.50(ABOM.8.6)C0 and earlier | 5.50(ABOM.8.7)C0* |
| VMG4005-B50A | 5.17(ABQA.3)C0 and earlier | 5.17(ABQA.3.1)C0* |
| VMG4005-B60A | 5.17(ABQA.3)C0 and earlier | 5.17(ABQA.3.1)C0* |
| VMG4005-B50B | 5.13(ABRL.5.3)C0 and earlier | 5.13(ABRL.5.4)C0* |
| VMG8623-T50B | 5.50(ABPM.9.5)C0 and earlier | 5.50(ABPM.9.6)C0* |
| VMG8825-T50K | 5.50(ABOM.8.6)C0 and earlier | 5.50(ABOM.8.7)C0* |
| Fiber ONTs | ||
| AX7501-B0 | 5.17(ABPC.6.1)C0 and earlier | 5.17(ABPC.6.2)C0* |
| AX7501-B1 | 5.17(ABPC.6.1)C0 and earlier | 5.17(ABPC.6.2)C0* |
| PE3301-00 | 5.63(ACMT.1.1)C0 and earlier | 5.63(ACMT.2)C0* |
| PE5301-01 | 5.63(ACOJ.1.1)C0 and earlier | 5.63(ACOJ.2)C0* |
| PM3100-T0 | 5.42(ACBF.3)C0 and earlier | 5.42(ACBF.4)C0* |
| PM5100-T0 | 5.42(ACBF.3)C0 and earlier | 5.42(ACBF.4)C0* |
| PM7500-00 | 5.61(ACKK.1)C0 and earlier | 5.61(ACKK.1.1)C0* |
| PM7300-T0 | 5.42(ABYY.3)C0 and earlier | 5.42(ABYY.4)C0* |
| PX3321-T1 | 5.44(ACJB.1.3)C0 and earlier 5.44(ACHK.1)C0 and earlier | 5.44(ACJB.1.4)C0* 5.44(ACHK.2)C0* |
| PX5301-T0 | 5.44(ACKB.0.4)C0 and earlier | 5.44(ACKB.0.5)C0* |
| Wireless Extenders | ||
| WE3300-00 | 5.70(ACKA.0)C0 and earlier | 5.70(ACKA.1)C0* |
| WX3100-T0 | 5.50(ABVL.4.7)C0 and earlier | 5.50(ABVL.4.8)C0* |
| WX3401-B0 | 5.17(ABVE.2.8)C0 and earlier | 5.17(ABVE.2.9)C0* |
| WX3401-B1 | 5.17(ABVE.2.8)C0 and earlier | 5.17(ABVE.2.9)C0* |
| WX5600-T0 | 5.70(ACEB.4.1)C0 and earlier | 5.70(ACEB.4.3)C0* |
| WX5610-B0 | 5.18(ACGJ.0.3)C0 and earlier | 5.18(ACGJ.0.4)C0* |
Got a question?
For our ISP customers, please contact your Zyxel sales or service representatives for more information. For customers who have acquired Zyxel devices through an ISP, please directly contact your ISP's support team, as the devices may have custom configurations.
Acknowledgment
Thanks to the following security researchers:
- Iván Domínguez from Zerolynx for CVE-2025-6599
- Joni Gadd for CVE-2025-8693
Revision history
2025-11-18: Initial release