{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1460", "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f", "state": "PUBLISHED", "assignerShortName": "Zyxel", "dateReserved": "2026-01-27T01:26:25.772Z", "datePublished": "2026-04-28T02:06:22.568Z", "dateUpdated": "2026-04-28T12:52:53.208Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f", "shortName": "Zyxel", "dateUpdated": "2026-04-28T02:06:22.568Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection')", "type": "CWE"}]}], "affected": [{"vendor": "Zyxel", "product": "DX3301-T0 firmware", "versions": [{"status": "affected", "version": "<= 5.50(ABVY.7.1)C0"}], "defaultStatus": "unaffected"}, {"vendor": "Zyxel", "product": "EX3301-T0 firmware", "versions": [{"status": "affected", "version": "<= 5.50(ABVY.7.1)C0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A post-authentication command injection vulnerability in the \u201cDomainName\u201d parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A post-authentication command injection vulnerability in the \u201cDomainName\u201d parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device."}]}], "references": [{"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T12:52:39.706460Z", "id": "CVE-2026-1460", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:52:53.208Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1460", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-28T12:52:39.706460Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:52:47.855Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Zyxel", "product": "DX3301-T0 firmware", "versions": [{"status": "affected", "version": "<= 5.50(ABVY.7.1)C0"}], "defaultStatus": "unaffected"}, {"vendor": "Zyxel", "product": "EX3301-T0 firmware", "versions": [{"status": "affected", "version": "<= 5.50(ABVY.7.1)C0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "A post-authentication command injection vulnerability in the \u201cDomainName\u201d parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device.", "supportingMedia": [{"type": "text/html", "value": "A post-authentication command injection vulnerability in the \u201cDomainName\u201d parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection')"}]}], "providerMetadata": {"orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f", "shortName": "Zyxel", "dateUpdated": "2026-04-28T02:06:22.568Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1460", "state": "PUBLISHED", "dateUpdated": "2026-04-28T12:52:53.208Z", "dateReserved": "2026-01-27T01:26:25.772Z", "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f", "datePublished": "2026-04-28T02:06:22.568Z", "assignerShortName": "Zyxel"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A post-authentication command injection vulnerability in the \u201cDomainName\u201d parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device."}], "id": "CVE-2026-1460", "lastModified": "2026-04-28T03:16:02.313", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@zyxel.com.tw", "type": "Primary"}]}, "published": "2026-04-28T03:16:02.313", "references": [{"source": "security@zyxel.com.tw", "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026"}], "sourceIdentifier": "security@zyxel.com.tw", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@zyxel.com.tw", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.50(ABVY.7.1)C0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "DX3301-T0 firmware", "source": "cna", "vendor": "Zyxel"}, "product": "dx3301-t0_firmware", "vendor": "zyxel"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.50(ABVY.7.1)C0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "EX3301-T0 firmware", "source": "cna", "vendor": "Zyxel"}, "product": "ex3301-t0_firmware", "vendor": "zyxel"}], "analysis": {"en": {"generated_at": "2026-04-28T12:31:59.428377+00:00", "value": {"mitigation_remediation": ["Obtain and install the latest Zyxel firmware that removes the vulnerable DomainName parameter processing.", "Restrict administrative access to trusted IP addresses or enforce strong authentication policies.", "Monitor device logs for unexpected command execution or configuration changes."], "summary": {"action": "Apply Update", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "Zyxel DX3301-T0 and EX3301-T0 routers with firmware versions up to and including 5.50(ABVY.7.1)C0. The affected devices are 4G/LTE and 5G NR CPEs, DSL/ethernet/OPT fiber ONTs, and wireless extenders used by organizations.", "description_and_impact": "A vulnerable parameter in the DHCP configuration file, named DomainName, allows an attacker who has already authenticated with administrative privileges to inject arbitrary OS commands. The flaw is a classic command injection, identified as CWE\u201178, and could lead to uncontrolled execution of malicious system commands, compromising the integrity and confidentiality of the device.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity and the lack of an EPSS score means known exploitation data is not currently measurable; however the vulnerability is not yet listed in the CISA KEV catalog. An attacker would need administrative credentials, which are typically limited, but once obtained could execute arbitrary commands on the device. The attack vector is local network or remote if the device is reachable from outside the private network, and the scope is limited to the target device."}}}}, "created": "2026-04-28T04:45:22.293469+00:00", "title": "Command Injection in Zyxel DX3301-T0 and EX3301-T0 Firmware", "updated": "2026-04-28T12:45:31.383998+00:00", "vendors": ["zyxel", "zyxel$PRODUCT$dx3301-t0_firmware", "zyxel$PRODUCT$ex3301-t0_firmware"]}