CVE-2025-11730
Unknown Unknown - Not Provided
Post-Auth Command Injection in Zyxel DDNS CLI Allows OS Execution

Publication date: 2026-02-05

Last updated on: 2026-02-05

Assigner: Zyxel Corporation

Description
A post‑authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command in Zyxel ATP series firmware versions from V5.35 through V5.41, USG FLEX series firmware versions from V5.35 through V5.41, USG FLEX 50(W) series firmware versions from V5.35 through V5.41, and USG20(W)-VPN series firmware versions from V5.35 through V5.41 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device by supplying a specially crafted string as an argument to the CLI command.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11730
EUVD
EUVD-2025-206867
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
zyxel atp From 5.35 (inc) to 5.41 (inc)
zyxel usg_flex From 5.35 (inc) to 5.41 (inc)
zyxel usg_flex_50(w) From 5.35 (inc) to 5.41 (inc)
zyxel usg20(w)-vpn From 5.35 (inc) to 5.41 (inc)
zyxel zld_firewall From 5.35 (inc) to 5.41 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, users are strongly advised to update their Zyxel firewall firmware to the patched version V5.42 as soon as possible.

This update addresses the post-authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command affecting firmware versions from V5.35 through V5.41.

Impact Analysis

An attacker who has administrator privileges on the affected device can exploit this vulnerability to execute arbitrary operating system commands.

This could lead to full compromise of the device, allowing the attacker to manipulate device settings, disrupt network operations, or use the device as a foothold for further attacks.

Given the CVSS base score of 7.2 with high impact on confidentiality, integrity, and availability, the vulnerability poses a serious risk to network security.

Compliance Impact

I don't know

Detection Guidance

I don't know

Executive Summary

CVE-2025-11730 is a post-authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command of Zyxel ZLD firewall firmware.

This flaw allows an authenticated attacker with administrator privileges to execute arbitrary operating system commands on the affected device by providing a specially crafted argument to the DDNS CLI command.

It affects firmware versions from V5.35 through V5.41 across multiple Zyxel firewall series including ATP, USG FLEX, USG FLEX 50(W), and USG20(W)-VPN.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11730. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart