CVE-2025-11730
Published: 05 February 2026
Summary
CVE-2025-11730 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel ATP (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-11730 is a post-authentication command injection vulnerability (CWE-78) in the Dynamic DNS (DDNS) configuration CLI command within Zyxel firmware. It affects Zyxel ATP series firmware versions from V5.35 through V5.41, USG FLEX series firmware versions from V5.35 through V5.41, USG FLEX 50(W) series firmware versions from V5.35 through V5.41, and USG20(W)-VPN series firmware versions from V5.35 through V5.41. The vulnerability, published on 2026-02-05, has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.
An authenticated attacker with administrator privileges can exploit this vulnerability over the network with low complexity. By supplying a specially crafted string as an argument to the affected DDNS CLI command, the attacker can execute arbitrary operating system commands on the device, potentially leading to full compromise including data exfiltration, modification, or disruption of firewall operations.
Zyxel has published a security advisory detailing the post-authentication command injection vulnerability in the DDNS configuration CLI command of affected ZLD firewalls, available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-the-ddns-configuration-cli-command-of-zld-firewalls-02-05-2026. Security practitioners should consult this advisory for specific mitigation steps, such as applying available firmware patches.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206867
Vulnerability details
A post‑authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command in Zyxel ATP series firmware versions from V5.35 through V5.41, USG FLEX series firmware versions from V5.35 through V5.41, USG FLEX 50(W) series firmware versions from V5.35…
more
through V5.41, and USG20(W)-VPN series firmware versions from V5.35 through V5.41 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device by supplying a specially crafted string as an argument to the CLI command.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Post-auth command injection in network device CLI directly enables arbitrary OS command execution via T1059.008 (Network Device CLI).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input to the DDNS CLI command, blocking the specially crafted argument that triggers OS command injection.
Mandates timely application of vendor firmware patches that eliminate the command-injection flaw in the affected ZLD versions.
Enforces access restrictions on configuration-change operations, limiting which authenticated administrators can invoke the vulnerable DDNS CLI command.