CVE-2025-11846
Null Pointer Dereference in Zyxel Firmware Causes DoS
Publication date: 2026-02-24
Last updated on: 2026-02-25
Assigner: Zyxel Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zyxel | lte3301-plus_firmware | to 1.00(abqu.9 (exc) |
| zyxel | nebula_fwa505_firmware | to 1.60(acko.2 (exc) |
| zyxel | nebula_fwa510_firmware | to 1.60(acgd.0 (exc) |
| zyxel | nebula_fwa515_firmware | to 1.60(acpz.0 (exc) |
| zyxel | nebula_fwa710_firmware | to 1.60(acgc.1 (exc) |
| zyxel | ee5301-00_firmware | to 5.63(acld.2.1 (exc) |
| zyxel | ee3301-00_firmware | to 5.63(acmu.2.1 (exc) |
| zyxel | dx5401-b1_firmware | to 5.17(abyo.7.1 (exc) |
| zyxel | dx4510-b1_firmware | to 5.17(abyl.10.1 (exc) |
| zyxel | dx4510-b0_firmware | to 5.17(abyl.10.1 (exc) |
| zyxel | dx3301-t0_firmware | to 5.50(abvy.7.1 (exc) |
| zyxel | dx3300-t1_firmware | to 5.50(abvy.7.1 (exc) |
| zyxel | dx3300-t0_firmware | to 5.50(abvy.7.1 (exc) |
| zyxel | ee6510-10_firmware | to 5.19(acjq.4.1 (exc) |
| zyxel | emg3525-t50b_firmware | to 5.50(abpm.9.7 (exc) |
| zyxel | nebula_lte3301-plus_firmware | to 1.18(acca.6 (exc) |
| zyxel | emg5523-t50b_firmware | to 5.50(abpm.9.7 (exc) |
| zyxel | ex2210-t0_firmware | to 5.50(acdi.2.3 (exc) |
| zyxel | ex3300-t0_firmware | to 5.50(abvy.7.1 (exc) |
| zyxel | ex3300-t1_firmware | to 5.50(abvy.7.1 (exc) |
| zyxel | ex3301-t0_firmware | to 5.50(abvy.7.1 (exc) |
| zyxel | ex3500-t0_firmware | to 5.44(achr.5.1 (exc) |
| zyxel | ex3501-t0_firmware | to 5.44(achr.5.1 (exc) |
| zyxel | ex3510-b0_firmware | to 5.17(abup.15.2 (exc) |
| zyxel | ex3510-b1_firmware | to 5.17(abup.15.2 (exc) |
| zyxel | ex3600-t0_firmware | to 5.70(acif.2.1 (exc) |
| zyxel | ex5401-b1_firmware | to 5.17(abyo.7.1 (exc) |
| zyxel | ex5510-b0_firmware | to 5.17(abqx.11.1 (exc) |
| zyxel | ex5512-t0_firmware | to 5.70(aceg.5.3 (exc) |
| zyxel | ex5601-t0_firmware | to 5.70(acdz.5.1 (exc) |
| zyxel | ex5601-t1_firmware | to 5.70(acdz.5.1 (exc) |
| zyxel | ex7501-b0_firmware | to 5.18(achn.3.1 (exc) |
| zyxel | ex7710-b0_firmware | to 5.18(acak.1.6 (exc) |
| zyxel | gm4100-b0_firmware | to 5.18(accl.2 (exc) |
| zyxel | pm7500-00_firmware | to 5.61(ackk.1.2 (exc) |
| zyxel | vmg3625-t50b_firmware | to 5.50(abpm.9.7 (exc) |
| zyxel | vmg4005-b50a_firmware | to 5.17(abqa.3.2 (exc) |
| zyxel | vmg4005-b60a_firmware | to 5.17(abqa.3.2 (exc) |
| zyxel | ax7501-b1_firmware | to 5.17(abpc.7.1 (exc) |
| zyxel | pe3301-00_firmware | to 5.63(acmt.2.1 (exc) |
| zyxel | pe5301-01_firmware | to 5.63(acoj.2.1 (exc) |
| zyxel | pm3100-t0_firmware | to 5.42(acbf.4.1 (exc) |
| zyxel | pm5100-t0_firmware | to 5.42(acbf.4.1 (exc) |
| zyxel | pm5100-t1_firmware | to 5.42(acbf.4.1 (exc) |
| zyxel | pm7300-t0_firmware | to 5.42(abyy.4.1 (exc) |
| zyxel | px3321-t1_firmware | to 5.44(achk.3 (exc) |
| zyxel | px3321-t1_firmware | to 5.44(acjb.1.5 (exc) |
| zyxel | px5301-t0_firmware | to 5.44(ackb.0.6 (exc) |
| zyxel | scr_50axe_firmware | to 1.30(acgn.0 (exc) |
| zyxel | vmg8623-t50b_firmware | to 5.50(abpm.9.7 (exc) |
| zyxel | we3300-00_firmware | to 5.70(acka.1.1 (exc) |
| zyxel | wx3100-t0_firmware | to 5.50(abvl.4.9 (exc) |
| zyxel | wx3401-b1_firmware | to 5.17(abve.2.10 (exc) |
| zyxel | wx5600-t0_firmware | to 5.70(aceb.5.1 (exc) |
| zyxel | wx5610-b0_firmware | to 5.18(acgj.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11846 is a null pointer dereference vulnerability found in the account settings CGI program of certain Zyxel devices. This vulnerability allows an authenticated attacker with administrator privileges to cause a denial-of-service (DoS) condition by sending a specially crafted HTTP request to the affected device.
The attack requires administrator-level authentication and can only be exploited if the device’s WAN access is enabled and user-configured passwords have been compromised, as WAN access is disabled by default on these devices.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition on the affected Zyxel device. This means the device could become unresponsive or stop functioning properly, potentially disrupting network connectivity or services that rely on the device.
Exploitation requires that the attacker has administrator access and that WAN access is enabled with compromised passwords, which could lead to service interruptions and operational downtime.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for specially crafted HTTP requests sent to the account settings CGI program on affected Zyxel devices. Since exploitation requires administrator-level authentication and involves sending crafted HTTP requests, inspecting HTTP logs for unusual or malformed requests targeting the account settings CGI endpoint may help identify attempts.
Additionally, verifying the firmware version on your Zyxel devices can help detect if they are vulnerable. Devices running firmware versions through 5.50(ABPM.9.6)C0 for VMG3625-T50B and through 5.50(ABVL.4.8)C0 for WX3100-T0 are affected.
Suggested commands to check firmware version on Zyxel devices typically include accessing the device via SSH or web interface and running commands like:
- ssh admin@<device_ip>
- show version
- cat /etc/version
For network detection, using tools like tcpdump or Wireshark to capture HTTP traffic and filter for requests to the account settings CGI endpoint may help identify suspicious activity.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the latest firmware updates released by Zyxel for all affected devices and models. Zyxel has provided patches for all vulnerable firmware versions.
Since exploitation requires administrator privileges and WAN access enabled, ensure that WAN access is disabled if not needed, and change all user-configured passwords to strong, unique passwords to prevent unauthorized access.
Contact Zyxel sales or support to obtain the appropriate firmware updates and apply them promptly to reduce the risk of exploitation.