CVE-2025-11845
Null Pointer Dereference in Zyxel Firmware Causes DoS
Publication date: 2026-02-24
Last updated on: 2026-02-25
Assigner: Zyxel Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zyxel | lte3301-plus_firmware | to 1.00(abqu.9 (exc) |
| zyxel | nebula_fwa505_firmware | to 1.60(acko.2 (exc) |
| zyxel | nebula_fwa510_firmware | to 1.60(acgd.0 (exc) |
| zyxel | nebula_fwa515_firmware | to 1.60(acpz.0 (exc) |
| zyxel | nebula_fwa710_firmware | to 1.60(acgc.1 (exc) |
| zyxel | ee5301-00_firmware | to 5.63(acld.2.1 (exc) |
| zyxel | ee3301-00_firmware | to 5.63(acmu.2.1 (exc) |
| zyxel | dx5401-b1_firmware | to 5.17(abyo.7.1 (exc) |
| zyxel | dx4510-b1_firmware | to 5.17(abyl.10.1 (exc) |
| zyxel | dx4510-b0_firmware | to 5.17(abyl.10.1 (exc) |
| zyxel | dx3301-t0_firmware | to 5.50(abvy.7.1 (exc) |
| zyxel | dx3300-t1_firmware | to 5.50(abvy.7.1 (exc) |
| zyxel | dx3300-t0_firmware | to 5.50(abvy.7.1 (exc) |
| zyxel | nebula_lte3301-plus_firmware | to 1.18(acca.6 (exc) |
| zyxel | ee6510-10_firmware | to 5.19(acjq.4.1 (exc) |
| zyxel | emg3525-t50b_firmware | to 5.50(abpm.9.7 (exc) |
| zyxel | emg5523-t50b_firmware | to 5.50(abpm.9.7 (exc) |
| zyxel | ex2210-t0_firmware | to 5.50(acdi.2.3 (exc) |
| zyxel | ex3300-t0_firmware | to 5.50(abvy.7.1 (exc) |
| zyxel | ex3300-t1_firmware | to 5.50(abvy.7.1 (exc) |
| zyxel | ex3301-t0_firmware | to 5.50(abvy.7.1 (exc) |
| zyxel | ex3500-t0_firmware | to 5.44(achr.5.1 (exc) |
| zyxel | ex3501-t0_firmware | to 5.44(achr.5.1 (exc) |
| zyxel | ex3510-b0_firmware | to 5.17(abup.15.2 (exc) |
| zyxel | ex3510-b1_firmware | to 5.17(abup.15.2 (exc) |
| zyxel | ex3600-t0_firmware | to 5.70(acif.2.1 (exc) |
| zyxel | ex5401-b1_firmware | to 5.17(abyo.7.1 (exc) |
| zyxel | ex5510-b0_firmware | to 5.17(abqx.11.1 (exc) |
| zyxel | ex5512-t0_firmware | to 5.70(aceg.5.3 (exc) |
| zyxel | ex5601-t0_firmware | to 5.70(acdz.5.1 (exc) |
| zyxel | ex5601-t1_firmware | to 5.70(acdz.5.1 (exc) |
| zyxel | ex7501-b0_firmware | to 5.18(achn.3.1 (exc) |
| zyxel | ex7710-b0_firmware | to 5.18(acak.1.6 (exc) |
| zyxel | gm4100-b0_firmware | to 5.18(accl.2 (exc) |
| zyxel | pm7500-00_firmware | to 5.61(ackk.1.2 (exc) |
| zyxel | vmg3625-t50b_firmware | to 5.50(abpm.9.7 (exc) |
| zyxel | vmg4005-b50a_firmware | to 5.17(abqa.3.2 (exc) |
| zyxel | vmg4005-b60a_firmware | to 5.17(abqa.3.2 (exc) |
| zyxel | ax7501-b1_firmware | to 5.17(abpc.7.1 (exc) |
| zyxel | pe3301-00_firmware | to 5.63(acmt.2.1 (exc) |
| zyxel | pe5301-01_firmware | to 5.63(acoj.2.1 (exc) |
| zyxel | pm3100-t0_firmware | to 5.42(acbf.4.1 (exc) |
| zyxel | pm5100-t0_firmware | to 5.42(acbf.4.1 (exc) |
| zyxel | pm5100-t1_firmware | to 5.42(acbf.4.1 (exc) |
| zyxel | pm7300-t0_firmware | to 5.42(abyy.4.1 (exc) |
| zyxel | px3321-t1_firmware | to 5.44(achk.3 (exc) |
| zyxel | px3321-t1_firmware | to 5.44(acjb.1.5 (exc) |
| zyxel | px5301-t0_firmware | to 5.44(ackb.0.6 (exc) |
| zyxel | scr_50axe_firmware | to 1.30(acgn.0 (exc) |
| zyxel | vmg8623-t50b_firmware | to 5.50(abpm.9.7 (exc) |
| zyxel | we3300-00_firmware | to 5.70(acka.1.1 (exc) |
| zyxel | wx3100-t0_firmware | to 5.50(abvl.4.9 (exc) |
| zyxel | wx3401-b1_firmware | to 5.17(abve.2.10 (exc) |
| zyxel | wx5600-t0_firmware | to 5.70(aceb.5.1 (exc) |
| zyxel | wx5610-b0_firmware | to 5.18(acgj.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a null pointer dereference issue found in the certificate downloader CGI program of certain Zyxel firmware versions. Specifically, it affects Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0. An authenticated attacker with administrator privileges can exploit this by sending a specially crafted HTTP request, which causes the program to dereference a null pointer.
This results in a denial-of-service (DoS) condition, meaning the affected device or service could crash or become unavailable.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial-of-service (DoS) condition. An attacker with administrator privileges can cause the affected device or service to crash or become unresponsive by sending a crafted HTTP request.
This could lead to temporary loss of availability of the device or service, potentially disrupting network operations or access to resources managed by the affected Zyxel devices.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know