Cyber Resilience

CVE-2026-1460

HighRCE

Published: 28 April 2026

Published
28 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 23.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1460 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel DX3301-T0 (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1460 is a post-authentication command injection vulnerability (CWE-78) in the "DomainName" parameter of the DHCP configuration file within Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0. It enables arbitrary OS command execution on affected devices and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete compromise despite requiring elevated privileges.

An authenticated attacker possessing administrator privileges can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows execution of arbitrary operating system commands, potentially granting full control over the device, including data exfiltration, modification, or disruption of services.

Zyxel has published a security advisory detailing this and related command injection vulnerabilities in certain 4G LTE, 5G NR CPE, DSL Ethernet CPE, fiber ONTs, and wireless extenders, available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026. Security practitioners should consult it for specific patch information and mitigation guidance.

EU & UK References

Vulnerability details

A post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Post-auth command injection (CWE-78) in DHCP config directly enables arbitrary Unix shell command execution on the device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44724Shared CWE-78
CVE-2026-22227Shared CWE-78
CVE-2024-40891Shared CWE-78
CVE-2026-26280Shared CWE-78
CVE-2024-57019Shared CWE-78
CVE-2026-45152Shared CWE-78
CVE-2025-53949Shared CWE-78
CVE-2026-8652Shared CWE-78
CVE-2026-35071Shared CWE-78
CVE-2024-11253Shared CWE-78

Affected Assets

Zyxel
DX3301-T0
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates command injection in the DomainName parameter by requiring input validation mechanisms at configuration file processing points.

prevent

Ensures timely flaw remediation through firmware patching as advised by Zyxel for this specific command injection vulnerability.

prevent

Enforces least privilege to limit the scope of arbitrary OS command execution even if an administrator exploits the post-authentication vulnerability.

References