CVE-2026-1460
Post-Auth Command Injection in Zyxel DHCP DomainName Parameter
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: Zyxel Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zyxel | dx3301-t0 | 5.50(ABVY.7.1)C0 |
| zyxel | ex3301-t0 | 5.50(ABVY.7.1)C0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1460 is a post-authentication command injection vulnerability found in the "DomainName" parameter of the DHCP configuration file on certain Zyxel devices, specifically the DX3301-T0 and EX3301-T0 models with firmware versions up to 5.50(ABVY.7.1)C0.
An attacker who is already authenticated with administrator privileges on the device can exploit this vulnerability to execute arbitrary operating system commands. This means the attacker can run commands on the device's underlying OS, potentially taking full control of the device.
WAN access is disabled by default on these devices, so exploitation requires that the attacker has administrative access, typically through compromised credentials.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with administrator access to execute arbitrary OS commands on the affected device.
- Complete control over the device's operating system.
- Potential disruption of network services provided by the device.
- Possibility of further attacks within the network by leveraging the compromised device.
- Risk is mitigated somewhat by the requirement for administrative authentication and the default disabling of WAN access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a post-authentication command injection in the "DomainName" parameter of the DHCP configuration file on affected Zyxel devices. Detection would require verifying if the device firmware version is vulnerable and checking for unauthorized changes or command executions related to this parameter.
Since exploitation requires administrator privileges and access to the device, detection commands could include inspecting the DHCP configuration file for suspicious entries or unexpected commands in the "DomainName" parameter.
However, no specific detection commands or network scanning methods are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the affected Zyxel devices to the patched firmware versions provided by Zyxel. Firmware updates address this vulnerability and are either immediately available or scheduled for release.
Additional mitigation includes ensuring strong password management for administrator accounts, as exploitation requires administrative authentication.
Since WAN access is disabled by default on affected devices, limiting remote exploitation, it is also advisable to maintain this default setting and restrict administrative access to trusted networks.
Users who obtained devices through ISPs should contact their ISP support for assistance due to possible custom configurations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-1460 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.