Cyber Resilience

CVE-2026-7256

High

Published: 12 May 2026

Published
12 May 2026
Modified
16 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0101 58.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7256 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel Wre6505 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is a command injection flaw, tracked as CVE-2026-7256 and assigned CWE-78, that resides in the CGI program of the Zyxel WRE6505 v2 wireless range extender running firmware version V1.00(ABDV.3)C0. The issue was disclosed on 2026-05-12 and explicitly labeled unsupported when assigned, with a CVSS 3.1 score of 8.8 reflecting high impact on confidentiality, integrity, and availability.

An unauthenticated attacker positioned on the same LAN segment can exploit the flaw by sending a crafted HTTP request to the device, resulting in arbitrary operating-system command execution on the affected hardware.

The single reference URL directs to Zyxel’s end-of-life support page, confirming that the product line receives no further security updates or patches.

EPSS remains low and unchanged at a peak of 0.0141, indicating no material increase in observed exploitation interest after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

** UNSUPPORTED WHEN ASSIGNED ** A command injection vulnerability in the CGI program of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the LAN to execute operating system (OS) commands on a vulnerable device by sending…

more

a crafted HTTP request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CWE-78 OS command injection in device CGI/web interface directly enables remote OS command execution on the appliance.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-13942Same vendor: Zyxel
CVE-2024-40890Same vendor: Zyxel
CVE-2025-13943Same vendor: Zyxel
CVE-2026-1459Same vendor: Zyxel
CVE-2024-40891Same vendor: Zyxel
CVE-2025-8693Same vendor: Zyxel
CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78

Affected Assets

zyxel
wre6505 firmware
v1.00\(abdv.3\)c0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Input validation on CGI parameters would directly block the crafted HTTP requests used for OS command injection (CWE-78).

prevent

Explicitly requires replacement or isolation of the unsupported Zyxel WRE6505 v2 that receives no security updates or patches.

prevent

Enforces authentication and authorization checks before allowing any CGI execution, eliminating the unauthenticated adjacent attack path.

References