Zyxel CVE coverage for firewalls, VPN gateways, routers, wireless devices, and SMB edge-network equipment.
Vendor watch hub
The Zyxelwatch hub is a vendor-specific view inside ITECS MSP Threat Radar. We pull the latest security advisories, incidents, and known-exploited CVEs directly from the official feeds below, score each one for MSP relevance, and surface what's most likely to need attention this week.
At a glance
Tracked
Active
Featured
Unique CVEs
Most recent entry
May 11, 2026, 11:16 PM
Feed refreshes daily · 5:15 a.m. Central
Sources·CISA KEV and NVD (product vendor coverage)
"Most recent entry" is the newest item the upstream feed has published — not our sync time.
Watch items
Showing the 20 most recent items, newest first. Each row links to the official advisory.
20 rows · sorted newest first
Operations viewUNSUPPORTED WHEN ASSIGNED A buffer overflow vulnerability in the formWep(), formWlAc(), formPasswordSetup(), formUpgradeCert(), and formDelcert() functions of the “webs” binary in Zyxel NWA1100-N customized firmware version 1.00(AACE.1)C0 could allow an attacker to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request to a vulnerable device.
UNSUPPORTED WHEN ASSIGNED A command injection vulnerability in the CGI program of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the LAN to execute operating system (OS) commands on a vulnerable device by sending a crafted HTTP request.
A post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device.
Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the management commands that could allow an authenticated attacker to execute OS commands via Telnet.
Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP request.
Multiple Zyxel firewalls contain a path traversal vulnerability in the web management interface that could allow an attacker to download or upload files via a crafted URL. Known ransomware use: Known.
Zyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user and exploited via the remote_host parameter of the ViewLog.asp page.
Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow an unauthenticated attacker to execute commands remotely via a crafted HTTP request.
Zyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, VPN, and ZyWALL/USG firewalls contain a buffer overflow vulnerability in the ID processing function that could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and remote code execution on an affected device.
Zyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, VPN, and ZyWALL/USG firewalls contain a buffer overflow vulnerability in the notification function that could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and remote code execution on an affected device.
Zyxel ATP, USG FLEX, VPN, and ZyWALL/USG firewalls allow for improper error message handling which could allow an unauthenticated attacker to execute OS commands remotely by sending crafted packets to an affected device.
A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code.
Zyxel firewalls (ATP, USG, VM) and AP Controllers (NXC2500 and NXC5500) contain a use of hard-coded credentials vulnerability in an undocumented account ("zyfwp") with an unchangeable password.
ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (CPU consumption) via a flood of IP packets with a TTL of 1.
Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the ozkerz component because beginIndex and endIndex are used directly in a popen call.
ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP's deployment of these devices).
Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for remote attackers to conduct DNS hijacking attacks by reconfiguring the built-in dnshijacker process.
A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.
Zyxel USG50 Security Appliance and NWA3560-N Access Point allow remote attackers to cause a denial of service (CPU consumption) via a flood of ICMPv4 Port Unreachable packets.
| Alert | Exposure | Status | Published | Source |
|---|---|---|---|---|
nwa1100-n firmware vulnerability (CVE-2026-7287)UNSUPPORTED WHEN ASSIGNED A buffer overflow vulnerability in the formWep(), formWlAc(), formPasswordSetup(), formUpgradeCert(), and formDelcert() functions of the “webs” binary in Zyxel NWA1100-N customized firmware version 1.00(AACE.1)C0 could allow an attacker to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request to a vulnerable device. nwa1100-n firmware | HIGHCVE-2026-7287 Watch | watch | May 11, 2026, 11:16 PM | NVDOpen source |
wre6505 firmware vulnerability (CVE-2026-7256)UNSUPPORTED WHEN ASSIGNED A command injection vulnerability in the CGI program of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the LAN to execute operating system (OS) commands on a vulnerable device by sending a crafted HTTP request. wre6505 firmware | HIGHCVE-2026-7256 Watch | watch | May 11, 2026, 11:16 PM | NVDOpen source |
Zyxel DX3301-T0 and EX3301-T0 vulnerability (CVE-2026-1460)A post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device. DX3301-T0 and EX3301-T0 | HIGHCVE-2026-1460 Watch | watch | Apr 27, 2026, 10:16 PM | NVDOpen source |
Zyxel DSL CPE OS Command Injection VulnerabilityMultiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the management commands that could allow an authenticated attacker to execute OS commands via Telnet. DSL CPE Devices | criticalCVE-2024-40891 Critical | active | Feb 10, 2025, 6:00 PM | CISA KEVOpen source |
Zyxel DSL CPE OS Command Injection VulnerabilityMultiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP request. DSL CPE Devices | criticalCVE-2024-40890 Critical | active | Feb 10, 2025, 6:00 PM | CISA KEVOpen source |
Zyxel Multiple Firewalls Path Traversal VulnerabilityMultiple Zyxel firewalls contain a path traversal vulnerability in the web management interface that could allow an attacker to download or upload files via a crafted URL. Known ransomware use: Known. Multiple Firewalls | criticalCVE-2024-11667 Critical | active | Dec 2, 2024, 6:00 PM | CISA KEVOpen source |
Zyxel P660HN-T1A Routers Command Injection VulnerabilityZyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user and exploited via the remote_host parameter of the ViewLog.asp page. P660HN-T1A Routers | criticalCVE-2017-18368 Critical | active | Aug 6, 2023, 7:00 PM | CISA KEVOpen source |
Zyxel Multiple NAS Devices Command Injection VulnerabilityMultiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow an unauthenticated attacker to execute commands remotely via a crafted HTTP request. Multiple Network-Attached Storage (NAS) Devices | criticalCVE-2023-27992 Critical | active | Jun 22, 2023, 7:00 PM | CISA KEVOpen source |
Zyxel Multiple Firewalls Buffer Overflow VulnerabilityZyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, VPN, and ZyWALL/USG firewalls contain a buffer overflow vulnerability in the ID processing function that could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and remote code execution on an affected device. Multiple Firewalls | criticalCVE-2023-33010 Critical | active | Jun 4, 2023, 7:00 PM | CISA KEVOpen source |
Zyxel Multiple Firewalls Buffer Overflow VulnerabilityZyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, VPN, and ZyWALL/USG firewalls contain a buffer overflow vulnerability in the notification function that could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and remote code execution on an affected device. Multiple Firewalls | criticalCVE-2023-33009 Critical | active | Jun 4, 2023, 7:00 PM | CISA KEVOpen source |
Zyxel Multiple Firewalls OS Command Injection VulnerabilityZyxel ATP, USG FLEX, VPN, and ZyWALL/USG firewalls allow for improper error message handling which could allow an unauthenticated attacker to execute OS commands remotely by sending crafted packets to an affected device. Multiple Firewalls | criticalCVE-2023-28771 Critical | active | May 30, 2023, 7:00 PM | CISA KEVOpen source |
Zyxel Multiple Firewalls OS Command Injection VulnerabilityA command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. Multiple Firewalls | criticalCVE-2022-30525 Critical | active | May 15, 2022, 7:00 PM | CISA KEVOpen source |
Zyxel Multiple NAS Devices OS Command Injection VulnerabilityMultiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code. Multiple Network-Attached Storage (NAS) Devices | criticalCVE-2020-9054 Critical | active | Mar 24, 2022, 7:00 PM | CISA KEVOpen source |
Zyxel Multiple Products Use of Hard-Coded Credentials VulnerabilityZyxel firewalls (ATP, USG, VM) and AP Controllers (NXC2500 and NXC5500) contain a use of hard-coded credentials vulnerability in an undocumented account ("zyfwp") with an unchangeable password. Multiple Products | criticalCVE-2020-29583 Critical | active | Nov 2, 2021, 7:00 PM | CISA KEVOpen source |
p-660hw firmware vulnerability (CVE-2017-17901)ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (CPU consumption) via a flood of IP packets with a TTL of 1. p-660hw firmware | HIGHCVE-2017-17901 Watch | watch | Dec 29, 2017, 4:29 PM | NVDOpen source |
nbg6716 firmware vulnerability (CVE-2017-15226)Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the ozkerz component because beginIndex and endIndex are used directly in a popen call. nbg6716 firmware | CRITICALCVE-2017-15226 Watch | watch | Oct 10, 2017, 6:29 PM | NVDOpen source |
pk5001z firmware vulnerability (CVE-2016-10401)ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP's deployment of these devices). pk5001z firmware | HIGHCVE-2016-10401 Watch | watch | Jul 25, 2017, 1:29 PM | NVDOpen source |
wre6505 firmware vulnerability (CVE-2017-7964)Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for remote attackers to conduct DNS hijacking attacks by reconfiguring the built-in dnshijacker process. wre6505 firmware | CRITICALCVE-2017-7964 Watch | watch | Apr 19, 2017, 11:59 AM | NVDOpen source |
emg2926 firmware vulnerability (CVE-2017-6884)A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI. emg2926 firmware | HIGHCVE-2017-6884 Critical | active | Apr 6, 2017, 12:59 PM | CISA KEVOpen source |
usg50 firmware vulnerability (CVE-2016-10227)Zyxel USG50 Security Appliance and NWA3560-N Access Point allow remote attackers to cause a denial of service (CPU consumption) via a flood of ICMPv4 Port Unreachable packets. usg50 firmware | HIGHCVE-2016-10227 Watch | watch | Feb 21, 2017, 1:59 AM | NVDOpen source |
ITECS response pathways
These pathways connect the vendor watch feed into service-owner resources that already carry commercial authority.
Use the managed firewall services pathway when this vendor alert needs an ITECS-managed response plan.
Connect the vendor watch page to broader managed detection, response, and governance planning.
Translate current watch items into a faster risk snapshot and prioritized remediation plan.
Return to the hub for cross-vendor prioritization, live filtering, and broader MSP threat context.
Vendor watch FAQ
It is the Zyxel-specific view inside ITECS Threat Radar, built to track recent advisories, incidents, and watch items that may affect Dallas-area business operations.
Use it to confirm whether current Zyxel issues overlap with your environment, prioritize remediation, and decide whether you need an assessment, managed security follow-through, or vendor-specific hardening work.
Yes. ITECS can help map Zyxel advisories against your systems, validate affected services, prioritize remediation, and connect the issue to broader managed cybersecurity or managed IT workflows.