PT-2026-5873 · Zyxel · Zyxel Atp Series+3
Published
2026-02-04
·
Updated
2026-02-25
·
CVE-2025-11730
CVSS v2.0
9.0
High
| AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Zyxel ATP series versions V5.35 through V5.41
Zyxel USG FLEX series versions V5.35 through V5.41
Zyxel USG FLEX 50(W) series versions V5.35 through V5.41
Zyxel USG20(W)-VPN series versions V5.35 through V5.41
Description
A post-authentication command injection issue exists in the Dynamic DNS (DDNS) configuration command-line interface (CLI) command. An authenticated attacker with administrator privileges can execute operating system (OS) commands on an affected device by providing a specially crafted string as an argument to the CLI command.
Recommendations
Zyxel ATP series versions prior to V5.35 and after V5.41
Zyxel USG FLEX series versions prior to V5.35 and after V5.41
Zyxel USG FLEX 50(W) series versions prior to V5.35 and after V5.41
Zyxel USG20(W)-VPN series versions prior to V5.35 and after V5.41
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zyxel Atp Series
Zyxel Usg Flex 50(W) Series
Zyxel Usg Flex Series
Zyxel Usg20(W)-Vpn Series