Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.2
Zyxel VMG3625-T50B Firmware Command Injection Flaw Allows Admin Access
CVE-2026-1459
Summary
The Zyxel VMG3625-T50B's certificate download feature has a security flaw that could let someone with administrator access on the device use it to run unauthorized commands on the device. This could allow them to make changes or access sensitive information they shouldn't have. Update the firmware to the latest version to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| zyxel | vmg8623-t50b_firmware | <= 5.50\(abpm.9.7\)c0 | – |
| zyxel | dx5401-b1_firmware | <= 5.17\(abyo.7.1\)c0 | – |
| zyxel | emg3525-t50b_firmware | <= 5.50\(abpm.9.7\)c0 | – |
| zyxel | emg5523-t50b_firmware | <= 5.50\(abpm.9.7\)c0 | – |
| zyxel | vmg3625-t50b_firmware | <= 5.50\(abpm.9.7\)c0 | – |
| zyxel | vmg3625-t50c_firmware | <= 5.50\(abpm.9.7\)c0 | – |
Original title
A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.7)C0 could allow an authenticate...
Original description
A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.7)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device.
nvd CVSS3.1
7.2
Vulnerability type
CWE-78
OS Command Injection
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026