CVE-2026-7256
Published: 12 May 2026
Summary
CVE-2026-7256 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel Wre6505 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability is a command injection flaw, tracked as CVE-2026-7256 and assigned CWE-78, that resides in the CGI program of the Zyxel WRE6505 v2 wireless range extender running firmware version V1.00(ABDV.3)C0. The issue was disclosed on 2026-05-12 and explicitly labeled unsupported when assigned, with a CVSS 3.1 score of 8.8 reflecting high impact on confidentiality, integrity, and availability.
An unauthenticated attacker positioned on the same LAN segment can exploit the flaw by sending a crafted HTTP request to the device, resulting in arbitrary operating-system command execution on the affected hardware.
The single reference URL directs to Zyxel’s end-of-life support page, confirming that the product line receives no further security updates or patches.
EPSS remains low and unchanged at a peak of 0.0141, indicating no material increase in observed exploitation interest after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-29376
Vulnerability details
** UNSUPPORTED WHEN ASSIGNED ** A command injection vulnerability in the CGI program of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the LAN to execute operating system (OS) commands on a vulnerable device by sending…
more
a crafted HTTP request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-78 OS command injection in device CGI/web interface directly enables remote OS command execution on the appliance.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Input validation on CGI parameters would directly block the crafted HTTP requests used for OS command injection (CWE-78).
Explicitly requires replacement or isolation of the unsupported Zyxel WRE6505 v2 that receives no security updates or patches.
Enforces authentication and authorization checks before allowing any CGI execution, eliminating the unauthenticated adjacent attack path.