CVE-2025-11730
Post-Auth Command Injection in Zyxel DDNS CLI Allows OS Execution
Publication date: 2026-02-05
Last updated on: 2026-02-05
Assigner: Zyxel Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zyxel | atp | From 5.35 (inc) to 5.41 (inc) |
| zyxel | usg_flex | From 5.35 (inc) to 5.41 (inc) |
| zyxel | usg_flex_50(w) | From 5.35 (inc) to 5.41 (inc) |
| zyxel | usg20(w)-vpn | From 5.35 (inc) to 5.41 (inc) |
| zyxel | zld_firewall | From 5.35 (inc) to 5.41 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are strongly advised to update their Zyxel firewall firmware to the patched version V5.42 as soon as possible.
This update addresses the post-authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command affecting firmware versions from V5.35 through V5.41.
How can this vulnerability impact me? :
An attacker who has administrator privileges on the affected device can exploit this vulnerability to execute arbitrary operating system commands.
This could lead to full compromise of the device, allowing the attacker to manipulate device settings, disrupt network operations, or use the device as a foothold for further attacks.
Given the CVSS base score of 7.2 with high impact on confidentiality, integrity, and availability, the vulnerability poses a serious risk to network security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
Can you explain this vulnerability to me?
CVE-2025-11730 is a post-authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command of Zyxel ZLD firewall firmware.
This flaw allows an authenticated attacker with administrator privileges to execute arbitrary operating system commands on the affected device by providing a specially crafted argument to the DDNS CLI command.
It affects firmware versions from V5.35 through V5.41 across multiple Zyxel firewall series including ATP, USG FLEX, USG FLEX 50(W), and USG20(W)-VPN.