Zyxel Ax7501-B0 Firmware vulnerabilities

CVE-2025-8693 [HIGH] CWE-78 CVE-2025-8693: A post-authentication command injection vulnerability in the "priv" parameter of Zyxel DX3300-T0 fir A post-authentication command injection vulnerability in the "priv" parameter of Zyxel DX3300-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an authenticated attacker to execute operating system (OS) commands on an affected device.

CVE-2025-6599 [MEDIUM] CWE-400 CVE-2025-6599: An uncontrolled resource consumption vulnerability in the web server of Zyxel DX3301-T0 firmware ver An uncontrolled resource consumption vulnerability in the web server of Zyxel DX3301-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an attacker to perform Slowloris‑style denial‑of‑service (DoS) attacks. Such attacks may temporarily block legitimate HTTP requests and partially disrupt access to the web management interface, while other n

CVE-2024-12009 [HIGH] CWE-78 CVE-2024-12009: A post-authentication command injection vulnerability in the "ZyEE" function of the Zyxel EX5601-T1 A post-authentication command injection vulnerability in the "ZyEE" function of the Zyxel EX5601-T1 firmware version V5.70(ACDZ.3.6)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

CVE-2024-12010 [HIGH] CWE-78 CVE-2024-12010: A post-authentication command injection vulnerability in the ”zyUtilMailSend” function of the Zyxel A post-authentication command injection vulnerability in the ”zyUtilMailSend” function of the Zyxel AX7501-B1 firmware version V5.17(ABPC.5.3)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

CVE-2024-8748 [HIGH] CWE-120 CVE-2024-8748: A buffer overflow vulnerability in the packet parser of the third-party library "libclinkc" in Zyxel A buffer overflow vulnerability in the packet parser of the third-party library "libclinkc" in Zyxel VMG8825-T50K firmware versions through V5.50(ABOM.8.4)C0 could allow an attacker to cause a temporary denial of service (DoS) condition against the web management interface by sending a crafted HTTP POST request to a vulnerable device.

CVE-2024-9197 [MEDIUM] CWE-120 CVE-2024-9197: A post-authentication buffer overflow vulnerability in the parameter "action" of the CGI program in A post-authentication buffer overflow vulnerability in the parameter "action" of the CGI program in Zyxel VMG3625-T50B firmware versions through V5.50(ABPM.9.2)C0 could allow an authenticated attacker with administrator privileges to cause a temporary denial of service (DoS) condition against the web management interface by sending a crafted HTTP GET r

CVE-2024-38266 [MEDIUM] CWE-119 CVE-2024-38266: An improper restriction of operations within the bounds of a memory buffer in the parameter type par An improper restriction of operations within the bounds of a memory buffer in the parameter type parser of the Zyxel VMG8825-T50K firmware versions through 5.50(ABOM.8)C0 could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.

CVE-2024-5412 [HIGH] CWE-120 CVE-2024-5412: A buffer overflow vulnerability in the library "libclinkc" of the Zyxel VMG8825-T50K firmware versio A buffer overflow vulnerability in the library "libclinkc" of the Zyxel VMG8825-T50K firmware version 5.50(ABOM.8)C0 could allow an unauthenticated attacker to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.

CVE-2024-0816 [MEDIUM] CWE-120 CVE-2024-0816: The buffer overflow vulnerability in the DX3300-T1 firmware version V5.50(ABVY.4)C0 could allow an a The buffer overflow vulnerability in the DX3300-T1 firmware version V5.50(ABVY.4)C0 could allow an authenticated local attacker to cause denial of service (DoS) conditions by executing the CLI command with crafted strings on an affected device.

CVE-2023-37929 [MEDIUM] CWE-120 CVE-2023-37929: The buffer overflow vulnerability in the CGI program of the VMG3625-T50B firmware version V5.50(ABPM The buffer overflow vulnerability in the CGI program of the VMG3625-T50B firmware version V5.50(ABPM.8)C0 could allow an authenticated remote attacker to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.

CVE-2022-45439 [MEDIUM] CWE-312 CVE-2022-45439: A pair of spare WiFi credentials is stored in the configuration file of the Zyxel AX7501-B0 firmware A pair of spare WiFi credentials is stored in the configuration file of the Zyxel AX7501-B0 firmware prior to V5.17(ABPC.3)C0 in cleartext. An unauthenticated attacker could use the credentials to access the WLAN service if the configuration file has been retrieved from the device by leveraging another known vulnerability.

CVE-2022-45440 [MEDIUM] CWE-59 CVE-2022-45440: A vulnerability exists in the FTP server of the Zyxel AX7501-B0 firmware prior to V5.17(ABPC.3)C0, w A vulnerability exists in the FTP server of the Zyxel AX7501-B0 firmware prior to V5.17(ABPC.3)C0, which processes symbolic links on external storage media. A local authenticated attacker with administrator privileges could abuse this vulnerability to access the root file system by creating a symbolic link on external storage media, such as a USB fla

CVE-2022-26413 [HIGH] CWE-78 CVE-2022-26413: A command injection vulnerability in the CGI program of Zyxel VMG3312-T20A firmware version 5.30(ABF A command injection vulnerability in the CGI program of Zyxel VMG3312-T20A firmware version 5.30(ABFX.5)C0 could allow a local authenticated attacker to execute arbitrary OS commands on a vulnerable device via a LAN interface.

CVE-2022-26414 [MEDIUM] CWE-120 CVE-2022-26414: A potential buffer overflow vulnerability was identified in some internal functions of Zyxel VMG3312 A potential buffer overflow vulnerability was identified in some internal functions of Zyxel VMG3312-T20A firmware version 5.30(ABFX.5)C0, which could be exploited by a local authenticated attacker to cause a denial of service.

CVE-2021-35036 [MEDIUM] CWE-312 CVE-2021-35036: A cleartext storage of information vulnerability in the Zyxel VMG3625-T50B firmware version V5.50(AB A cleartext storage of information vulnerability in the Zyxel VMG3625-T50B firmware version V5.50(ABTL.0)b2k could allow an authenticated attacker to obtain sensitive information from the configuration file.