Zyxel CVE coverage for firewalls, VPN gateways, routers, wireless devices, and SMB edge-network equipment.
Vendor watch hub
The Zyxelwatch hub is a vendor-specific view inside ITECS MSP Threat Radar. We pull the latest security advisories, incidents, and known-exploited CVEs directly from the official feeds below, score each one for MSP relevance, and surface what's most likely to need attention this week.
At a glance
Tracked
Active
Featured
Unique CVEs
Most recent entry
Apr 27, 2026, 10:16 PM
Feed refreshes daily · 5:15 a.m. Central
Sources·CISA KEV and NVD (product vendor coverage)
"Most recent entry" is the newest item the upstream feed has published — not our sync time.
Watch items
Showing the 15 most recent items, newest first. Each row links to the official advisory.
15 rows · sorted newest first
Operations viewA post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device.
Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the management commands that could allow an authenticated attacker to execute OS commands via Telnet.
Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP request.
Multiple Zyxel firewalls contain a path traversal vulnerability in the web management interface that could allow an attacker to download or upload files via a crafted URL. Known ransomware use: Known.
Zyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user and exploited via the remote_host parameter of the ViewLog.asp page.
Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow an unauthenticated attacker to execute commands remotely via a crafted HTTP request.
Zyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, VPN, and ZyWALL/USG firewalls contain a buffer overflow vulnerability in the notification function that could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and remote code execution on an affected device.
Zyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, VPN, and ZyWALL/USG firewalls contain a buffer overflow vulnerability in the ID processing function that could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and remote code execution on an affected device.
Zyxel ATP, USG FLEX, VPN, and ZyWALL/USG firewalls allow for improper error message handling which could allow an unauthenticated attacker to execute OS commands remotely by sending crafted packets to an affected device.
A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code.
Zyxel firewalls (ATP, USG, VM) and AP Controllers (NXC2500 and NXC5500) contain a use of hard-coded credentials vulnerability in an undocumented account ("zyfwp") with an unchangeable password.
A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.
ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(PE9) and 3.40(AGD.2) through 3.40(AHQ.3), do not use a salt when calculating an MD5 password hash, which makes it easier for attackers to crack passwords.
ZyXEL ZyWALL 1050 has a hard-coded password for the Quagga and Zebra processes that is not changed when it is set by a user, which allows remote attackers to gain privileges.
| Alert | Exposure | Status | Published | Source |
|---|---|---|---|---|
Zyxel DX3301-T0 and EX3301-T0 vulnerability (CVE-2026-1460)A post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device. DX3301-T0 and EX3301-T0 | HIGHCVE-2026-1460 Watch | watch | Apr 27, 2026, 10:16 PM | NVDOpen source |
Zyxel DSL CPE OS Command Injection VulnerabilityMultiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the management commands that could allow an authenticated attacker to execute OS commands via Telnet. DSL CPE Devices | criticalCVE-2024-40891 Critical | active | Feb 10, 2025, 6:00 PM | CISA KEVOpen source |
Zyxel DSL CPE OS Command Injection VulnerabilityMultiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP request. DSL CPE Devices | criticalCVE-2024-40890 Critical | active | Feb 10, 2025, 6:00 PM | CISA KEVOpen source |
Zyxel Multiple Firewalls Path Traversal VulnerabilityMultiple Zyxel firewalls contain a path traversal vulnerability in the web management interface that could allow an attacker to download or upload files via a crafted URL. Known ransomware use: Known. Multiple Firewalls | criticalCVE-2024-11667 Critical | active | Dec 2, 2024, 6:00 PM | CISA KEVOpen source |
Zyxel P660HN-T1A Routers Command Injection VulnerabilityZyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user and exploited via the remote_host parameter of the ViewLog.asp page. P660HN-T1A Routers | criticalCVE-2017-18368 Critical | active | Aug 6, 2023, 7:00 PM | CISA KEVOpen source |
Zyxel Multiple NAS Devices Command Injection VulnerabilityMultiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow an unauthenticated attacker to execute commands remotely via a crafted HTTP request. Multiple Network-Attached Storage (NAS) Devices | criticalCVE-2023-27992 Critical | active | Jun 22, 2023, 7:00 PM | CISA KEVOpen source |
Zyxel Multiple Firewalls Buffer Overflow VulnerabilityZyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, VPN, and ZyWALL/USG firewalls contain a buffer overflow vulnerability in the notification function that could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and remote code execution on an affected device. Multiple Firewalls | criticalCVE-2023-33009 Critical | active | Jun 4, 2023, 7:00 PM | CISA KEVOpen source |
Zyxel Multiple Firewalls Buffer Overflow VulnerabilityZyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, VPN, and ZyWALL/USG firewalls contain a buffer overflow vulnerability in the ID processing function that could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and remote code execution on an affected device. Multiple Firewalls | criticalCVE-2023-33010 Critical | active | Jun 4, 2023, 7:00 PM | CISA KEVOpen source |
Zyxel Multiple Firewalls OS Command Injection VulnerabilityZyxel ATP, USG FLEX, VPN, and ZyWALL/USG firewalls allow for improper error message handling which could allow an unauthenticated attacker to execute OS commands remotely by sending crafted packets to an affected device. Multiple Firewalls | criticalCVE-2023-28771 Critical | active | May 30, 2023, 7:00 PM | CISA KEVOpen source |
Zyxel Multiple Firewalls OS Command Injection VulnerabilityA command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. Multiple Firewalls | criticalCVE-2022-30525 Critical | active | May 15, 2022, 7:00 PM | CISA KEVOpen source |
Zyxel Multiple NAS Devices OS Command Injection VulnerabilityMultiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code. Multiple Network-Attached Storage (NAS) Devices | criticalCVE-2020-9054 Critical | active | Mar 24, 2022, 7:00 PM | CISA KEVOpen source |
Zyxel Multiple Products Use of Hard-Coded Credentials VulnerabilityZyxel firewalls (ATP, USG, VM) and AP Controllers (NXC2500 and NXC5500) contain a use of hard-coded credentials vulnerability in an undocumented account ("zyfwp") with an unchangeable password. Multiple Products | criticalCVE-2020-29583 Critical | active | Nov 2, 2021, 7:00 PM | CISA KEVOpen source |
emg2926 firmware vulnerability (CVE-2017-6884)A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI. emg2926 firmware | HIGHCVE-2017-6884 Critical | active | Apr 6, 2017, 12:59 PM | CISA KEVOpen source |
p-663hn-51 firmware vulnerability (CVE-2008-1526)ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(PE9) and 3.40(AGD.2) through 3.40(AHQ.3), do not use a salt when calculating an MD5 password hash, which makes it easier for attackers to crack passwords. p-663hn-51 firmware | HIGHCVE-2008-1526 Watch | watch | Mar 26, 2008, 5:44 AM | NVDOpen source |
zywall 1050 firmware vulnerability (CVE-2008-1160)ZyXEL ZyWALL 1050 has a hard-coded password for the Quagga and Zebra processes that is not changed when it is set by a user, which allows remote attackers to gain privileges. zywall 1050 firmware | CRITICALCVE-2008-1160 Watch | watch | Mar 24, 2008, 7:44 PM | NVDOpen source |
ITECS response pathways
These pathways connect the vendor watch feed into service-owner resources that already carry commercial authority.
Use the managed firewall services pathway when this vendor alert needs an ITECS-managed response plan.
Connect the vendor watch page to broader managed detection, response, and governance planning.
Translate current watch items into a faster risk snapshot and prioritized remediation plan.
Return to the hub for cross-vendor prioritization, live filtering, and broader MSP threat context.
Vendor watch FAQ
It is the Zyxel-specific view inside ITECS Threat Radar, built to track recent advisories, incidents, and watch items that may affect Dallas-area business operations.
Use it to confirm whether current Zyxel issues overlap with your environment, prioritize remediation, and decide whether you need an assessment, managed security follow-through, or vendor-specific hardening work.
Yes. ITECS can help map Zyxel advisories against your systems, validate affected services, prioritize remediation, and connect the issue to broader managed cybersecurity or managed IT workflows.