Cyber Resilience

CVE-2026-1459

HighRCE

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 10.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1459 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel Vmg8623-T50B Firmware. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1459 is a post-authentication command injection vulnerability (CWE-78) in the TR-369 certificate download CGI program of Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.7)C0. Published on 2026-02-24, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An authenticated attacker with administrator privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation enables execution of arbitrary operating system commands on the affected device, granting high-level access that compromises confidentiality, integrity, and availability.

Zyxel has issued a security advisory covering this command injection vulnerability alongside null pointer dereference issues in various 4G LTE, 5G NR CPE, DSL Ethernet CPE, Fiber ONTs, security routers, and wireless extenders, accessible at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026. Practitioners should review it for recommended mitigations and firmware patches.

EU & UK References

Vulnerability details

A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.7)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Post-auth command injection (CWE-78) in network device web/CGI interface directly enables remote OS command execution via Unix shell after valid admin account use.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13943Same product: Zyxel Dx5401-B1
CVE-2024-40890Same vendor: Zyxel
CVE-2025-13942Same vendor: Zyxel
CVE-2026-7256Same vendor: Zyxel
CVE-2024-40891Same vendor: Zyxel
CVE-2025-8693Same product: Zyxel Dx5401-B1
CVE-2025-7673Same product: Zyxel Emg3525-T50B
CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78

Affected Assets

zyxel
vmg8623-t50b firmware
≤ 5.50\(abpm.9.7\)c0
zyxel
dx5401-b1 firmware
≤ 5.17\(abyo.7.1\)c0
zyxel
emg3525-t50b firmware
≤ 5.50\(abpm.9.7\)c0
zyxel
emg5523-t50b firmware
≤ 5.50\(abpm.9.7\)c0
zyxel
vmg3625-t50b firmware
≤ 5.50\(abpm.9.7\)c0
zyxel
vmg3625-t50c firmware
≤ 5.50\(abpm.9.7\)c0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the TR-369 certificate-download CGI, blocking the OS command injection payload before execution.

prevent

Mandates prompt application of the vendor firmware patch that removes the command-injection flaw in the affected CGI handler.

prevent

Restricts the number of accounts granted administrator privileges, thereby reducing the population that can reach the vulnerable post-auth CGI endpoint.

References