CVE-2026-1459
HIGH WAF: High
CVSS 7.2
Published: 2026-02-24
CWE-78
A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.7)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| zyxel | vmg8623-t50b_firmware | up to 5.50\(abpm.9.7\)c0 |
| zyxel | dx5401-b1_firmware | up to 5.17\(abyo.7.1\)c0 |
| zyxel | emg3525-t50b_firmware | up to 5.50\(abpm.9.7\)c0 |
| zyxel | emg5523-t50b_firmware | up to 5.50\(abpm.9.7\)c0 |
| zyxel | vmg3625-t50b_firmware | up to 5.50\(abpm.9.7\)c0 |
| zyxel | vmg3625-t50c_firmware | up to 5.50\(abpm.9.7\)c0 |
References
- www.zyxel.com (Vendor Advisory)