CVE-2025-13943

CWE-78 — OS Command Injection3 documents3 sources

Severity

8.8HIGH

EPSS

0.0%

top 85.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zyxel Am7510-00 Firmware Zyxel Ax7501-b1 Firmware Zyxel Dm4200-b0 Firmware +49 more

Timeline

PublishedFeb 24

Description

A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware versions through 5.50(ABVY.7)C0 could allow an authenticated attacker to execute operating system (OS) commands on an affected device.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages53 packages

▶NVDzyxel/ex3301-t0_firmware< 5.50\(abvy.7.1\)c0

▶CVEListV5zyxel/ex3301-t0_firmware5.50(ABVY.7)C0

▶NVDzyxel/am7510-00_firmware< 5.63\(acoe.0.1\)c0

▶NVDzyxel/ax7501-b1_firmware< 5.17\(abpc.7.1\)c0

▶NVDzyxel/dm4200-b0_firmware< 5.17\(acbs.1.6\)c0

🔴Vulnerability Details

CVEList

CVE-2025-13943: A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware versions through 5↗2026-02-24

▶

GHSA

GHSA-mg73-f2jm-wph7: A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware versions through 5↗2026-02-24

▶