CVE-2026-1459
Published: 24 February 2026
Summary
CVE-2026-1459 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel Vmg8623-T50B Firmware. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-1459 is a post-authentication command injection vulnerability (CWE-78) in the TR-369 certificate download CGI program of Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.7)C0. Published on 2026-02-24, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
An authenticated attacker with administrator privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation enables execution of arbitrary operating system commands on the affected device, granting high-level access that compromises confidentiality, integrity, and availability.
Zyxel has issued a security advisory covering this command injection vulnerability alongside null pointer dereference issues in various 4G LTE, 5G NR CPE, DSL Ethernet CPE, Fiber ONTs, security routers, and wireless extenders, accessible at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026. Practitioners should review it for recommended mitigations and firmware patches.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7399
Vulnerability details
A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.7)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Post-auth command injection (CWE-78) in network device web/CGI interface directly enables remote OS command execution via Unix shell after valid admin account use.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the TR-369 certificate-download CGI, blocking the OS command injection payload before execution.
Mandates prompt application of the vendor firmware patch that removes the command-injection flaw in the affected CGI handler.
Restricts the number of accounts granted administrator privileges, thereby reducing the population that can reach the vulnerable post-auth CGI endpoint.