Cyber Resilience

CVE-2025-11730

HighRCE

Published: 05 February 2026

Published
05 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 28.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11730 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel ATP (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-11730 is a post-authentication command injection vulnerability (CWE-78) in the Dynamic DNS (DDNS) configuration CLI command within Zyxel firmware. It affects Zyxel ATP series firmware versions from V5.35 through V5.41, USG FLEX series firmware versions from V5.35 through V5.41, USG FLEX 50(W) series firmware versions from V5.35 through V5.41, and USG20(W)-VPN series firmware versions from V5.35 through V5.41. The vulnerability, published on 2026-02-05, has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

An authenticated attacker with administrator privileges can exploit this vulnerability over the network with low complexity. By supplying a specially crafted string as an argument to the affected DDNS CLI command, the attacker can execute arbitrary operating system commands on the device, potentially leading to full compromise including data exfiltration, modification, or disruption of firewall operations.

Zyxel has published a security advisory detailing the post-authentication command injection vulnerability in the DDNS configuration CLI command of affected ZLD firewalls, available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-the-ddns-configuration-cli-command-of-zld-firewalls-02-05-2026. Security practitioners should consult this advisory for specific mitigation steps, such as applying available firmware patches.

EU & UK References

Vulnerability details

A post‑authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command in Zyxel ATP series firmware versions from V5.35 through V5.41, USG FLEX series firmware versions from V5.35 through V5.41, USG FLEX 50(W) series firmware versions from V5.35…

more

through V5.41, and USG20(W)-VPN series firmware versions from V5.35 through V5.41 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device by supplying a specially crafted string as an argument to the CLI command.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Post-auth command injection in network device CLI directly enables arbitrary OS command execution via T1059.008 (Network Device CLI).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3828Shared CWE-78
CVE-2025-15518Shared CWE-78
CVE-2026-23816Shared CWE-78
CVE-2026-23820Shared CWE-78
CVE-2025-15519Shared CWE-78
CVE-2024-26012Shared CWE-78
CVE-2026-22222Shared CWE-78
CVE-2026-22224Shared CWE-78
CVE-2025-11005Shared CWE-78
CVE-2026-31177Shared CWE-78

Affected Assets

Zyxel
ATP
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input to the DDNS CLI command, blocking the specially crafted argument that triggers OS command injection.

prevent

Mandates timely application of vendor firmware patches that eliminate the command-injection flaw in the affected ZLD versions.

prevent

Enforces access restrictions on configuration-change operations, limiting which authenticated administrators can invoke the vulnerable DDNS CLI command.

References